Western Uusimaa District Court has found Aleksanteri Kivimäki guilty on all charges related to the hacking of psychotherapy centre Vastaamo's patient database and sentenced him to 6 years and 3 months in prison.
Kivimäki had faced charges including aggravated data breach, almost 9,600 counts of aggravated invasion of privacy related to the dissemination of information, more than 21,300 counts of attempted aggravated extortion, and 20 counts of aggravated blackmail.
There were more victims in this case than in any other in Finnish criminal history.
The prosecution in the case had told the court that the 26-year-old Kivimäki hacked into the firm's database, containing the personal information of an estimated 33,000 people, in autumn 2018.
He then attempted to extort money from both the company and its clients about two years later, threatening to spread the sensitive patient data on the dark web if they did not pay up.
Kivimäki initially demanded 370,000 euros in bitcoin from Vastaamo, the court heard, and began publishing patient records on the Tor network when the company refused to pay.
The prosecution had called on the court to hand Kivimäki the maximum possible sentence of seven years in jail.
In deciding on the sentence, the court said it took into account the seriousness of the crimes, the manner in which they were committed, and Kivimäki's own reckless attitude.
However, as a mitigating factor, it also noted that the defendant had agreed to conditional settlements on compensation claims with thousands of the plaintiffs in the case.
Kivimäki's lawyer Peter Jaari told reporters that his client is disappointed with the court's verdict and will very likely appeal the ruling. Kivimäki still denies any wrongdoing, Jaari added.
Previous conviction not taken into account
Although Kivimäki has a prior conviction for fraud, he had not served any prison time in the five years preceding the hacking of Vastaamo's database and was therefore considered to be a first-time offender under Finnish law.
He was previously found guilty of fraud against American Airlines and the US authorities, after he made false distress calls that led US police departments to send special forces to people's homes and the airline to abort a flight.
Kivimäki made the calls in 2014, when he was 16-17 years old. The Helsinki Court of Appeal handed him a 10-month suspended prison sentence in 2022 along with a fine.
Helsinki District Court handed Vastaamo's former CEO Ville Tapio a three-month suspended prison sentence in April last year on a data protection charge because he did not fulfil General Data Protection Regulation (GDPR) requirements. This verdict was appealed by both Tapio and the prosecutor, and the appeal hearing will begin in May 2025.