Vastaamo hack My darkest secrets were revealed to the world

pAs soon as MeriTuuli Auer saw the subject line in her junk folder she knew it was no ordinary spam email It contained her full name and her social security number the unique code Finnish people use to access public services and bankingppThe email was full of details about Auer no one else should knowppThe sender knew she had been having psychotherapy through a company called Vastaamo They said they had hacked into Vastaamos patient database and that they wanted Auer to pay 200 175 in bitcoin within 24 hours or the price would go up to 500 within 48 hoursppIf she did not pay they wrote your information will be published for all to see including your name address phone number social security number and detailed patient records containing transcripts of your conversations with Vastaamos therapistsppThats when the fear set in Auer 30 tells me I took sick leave from work I closed myself in at home I didnt want to leave I didnt want people to see meppShe was one of 33000 Vastaamo patients held to ransom in October 2020 by a nameless faceless hacker ppThey had shared their most intimate thoughts with their therapists including details about suicide attempts affairs and child sexual abuseppIn Finland a country of 56 million people everyone seemed to know someone who had their therapy records stolen It became a national scandal Finlands biggestever crime and the then Prime Minister Sanna Marin convened an emergency meeting of ministers to discuss a responseppBut it was already too late to stop the hackerppBefore sending the emails to Vastaamos patients the hacker had published the entire database of records stolen from the company on the dark web and an unknown number of people had read or downloaded a copy These notes have been circulating ever sinceppAuer had told her therapist things that she didnt even want her closest family members to know about her binge drinking and a secret relationship shed been having with a much older man ppNow her worst fears had come trueppBut instead of destroying her the hack made her realise she was far more resilient than she could have ever imaginedppAuers flat on the outskirts of Helsinki looks joyful Barbie memorabilia fills her shelves and theres a poledancing pole in the centre of her living room But dont be fooled by how things seem on the surface Auer says She has struggled with depression and anxiety for most of her lifeppIm outgoing and very confident and I love being around people Auer says but I get that inkling that they all think Im stupid and ugly and that my life is a continuum of mistakesppAuer first sought help in 2015 She told her Vastaamo therapist about her mental health problems her drinking and a relationship shed had aged 18 with an older man shed kept secret from her family She says she trusted her therapist completely and with his help she made real progress She had no idea what he had written in his notes of their conversationsppBy the time she received the ransom email news had already broken about the Vastaamo hack Three days earlier the extortionist had begun to dripfeed therapy notes on the dark web in batches of 100 a day in the hope of putting pressure on the company to pay the much larger ransom the bitcoin equivalent of around 400000 that he had been demanding from them for weeksppAuer says she felt compelled to look through them ppI had never used the dark web before But I was thinking to myself I just have to see if my records are thereppWhen she discovered they were not she closed the file and didnt read anyone elses records she says But she saw how other people on the dark web were mocking patients misery A 10yearold child had gone to therapy and people found it funnyppAnd a few days later when it became clear the records of every Vastaamo patient had been published Auers mental health began to deteriorate ppUnsure who was responsible or who might have read her most private thoughts she became terrified to take public transport leave home or even open the door to the postman She doubted the hacker would be foundppFinnish detectives also feared they wouldnt find the suspect given the volume of data they had to sift through ppI couldnt even imagine the scale of it This isnt a normal case says Marko Lepponen the detective who led the investigation for the Finnish policeppBut after two years of investigation in October 2022 they named their suspect Julius Kivimäki a known cybercriminal ppIn February 2023 Kivimäki was arrested in France and transported back to Finland to face chargesppNo courtroom is large enough for to accommodate the 21000 former Vastaamo patients who had registered themselves as plaintiffs in the criminal case so screenings were held in public spaces including cinemas to give them an opportunity to watch the trial ppDetermined to see Kivimäki face justice Auer attended one of the screenings and was struck by how unremarkable he looked ppHe looks just like a regular Finnish young man she tells me It made me feel like it could have been anyoneppWhen he was found guilty and sentenced to six years and seven months in prison she says it felt like a validation ppWhatever sentence he was given could never make up for everything The victims suffering was seen by the court I was thankful for thatppKivimäki continues to deny being responsible for the hackppIn the months after she learned about the hack Auer requested a hard copy of her records from Vastaamo ppHer notes sit in a thick stack on the table between us as she tells me what happenedppEven though their records were released more than five years ago Vastaamo patients continue to be victimised Someone has even built a search engine that allows users to find records on the dark web just by typing in a persons nameppAuer agrees to share some of her leaked therapy records with me ppThe patient is mostly angry impulsive bitter she says reading some of the first notes her therapist wrote about their sessions The patient recounts their past in a rambling manner There is some interpersonal difficulty stemming from the patients weaktempered nature typical for their ageppWhen she read them for the first time she was heartbroken Auer says I was hurt by how he had described me It made me feel sorry for the person I had beenppShe says the data breach has eroded patient trust There are a lot of people who were Vastaamo clients who had gone to therapy for years but are now never going to book another therapy sessionppThe lawyer representing Vastaamos victims in a civil case against the hacker has told me she knows of at least two cases where people have taken their own lives after learning their therapy notes had been stolenppAuer decided to confront her fears head on She posted on social media about the hack letting everyone know that she had been one of the victimsppIt was a a lot easier for me to know that everyone who knew me already knew she says She spoke to her family about what was in her leaked records including the secret relationship she had never told them about before People were very supportiveppFinally she chose to take back control of her story by publishing a book about her experiences Loosely translated the title is Everyone Gets to Know ppI crafted it into a narrative At least I can tell my side of the story the one thats not visible in the patient recordsppAuer has come to accept that her secrets will always be out there ppFor my own wellbeing its just better not to think about itppAll six episodes of Intrigue Ransom Man now available on BBC Sounds with episodes running weekly on BBC Radio 4 from 20 January 2026 at 0900 GMTppKidsAid is awarded a lottery grant to provide mental health services to schoolsppMark Stewart talks ahead of a new ultrasound trial in Oxford to help prevent Lewy Body DementiappThe University of Kent says people should think wisely about using AI to write Valentines Day lettersppIt comes in the same week an OpenAI researcher resigned amid concerns about its decision to start testing ChatGPT adsppVibecoding tools which let people without coding skills create apps using AI are exploding in popularityppCopyright 2026 BBC All rights reserved The BBC is not responsible for the content of external sites Read about our approach to external linkingpp p