Kivimaki sentence increased to nearly seven years in Vastaamo case marks one of the most consequential rulings in Finland’s legal history involving cybercrime and mass privacy violations. The Helsinki Court of Appeal has sentenced Aleksanteri Kivimaki to six years and 11 months in prison, a term that stands just one month short of the statutory maximum penalty of seven years for the offences in question.
The judgment reinforces the gravity of a case that has reshaped public understanding of digital security, medical confidentiality, and the limits of criminal law in the face of large scale technological harm.
The Court of Appeal upheld the findings of guilt originally delivered by the Western Uusimaa District Court in April 2024, but increased the prison term from six years and three months to six years and 11 months.
Prosecutors had sought the full seven year maximum. The appellate court stated that, in principle, such a maximum term would have been justified given the scale and seriousness of the offences. The sentence was reduced by one month because Kivimaki reached conditional settlement agreements with numerous victims regarding compensation.
However, the court made clear that the mitigating weight of those agreements was limited. The settlements were conditional, and no compensation had yet been paid. Judges noted that the agreements might reduce future legal costs but did not materially alter the severity of the crimes.
Kivimaki denied all charges throughout the proceedings and sought dismissal before the appeal court.
At the heart of the case is the 2018 intrusion into the database of psychotherapy provider Vastaamo, a private mental health clinic serving thousands of patients across Finland.
In November 2018, an unauthorised party accessed Vastaamo’s patient database using credentials that did not belong to him. The Court of Appeal determined that the intrusion was not opportunistic. It required dedicated software, a detailed technical plan, and deliberate efforts to evade detection.
Judges found that encrypted VPN connections were used to reduce traceability. The servers involved were protected with strong encryption methods, indicating that the breach required technical sophistication and persistence.
The case moved from cyber intrusion to direct victimisation in autumn 2020. After an unsuccessful attempt to extort money from Vastaamo itself, patients began receiving blackmail messages demanding payment in exchange for keeping their therapy records private. Sensitive session notes later surfaced on the Tor network, intensifying the public fallout.
The court convicted Kivimaki of aggravated data breach, aggravated attempted extortion, 20 counts of aggravated extortion, 9,231 counts of aggravated dissemination of information violating personal privacy, and 20,745 counts of aggravated attempted extortion.
Measured by the number of victims, the Vastaamo breach stands as the largest criminal case in Finnish history.
In its reasoning, the Court of Appeal described the crimes as a planned entity targeting an exceptionally large number of victims in a vulnerable position. Therapy records, by their nature, contain intimate disclosures about trauma, relationships, mental health struggles, and personal crises. The court concluded that the acts were conducive to causing significant suffering.
It further stated that the offences were driven by the aim of obtaining significant financial benefit. The economic motive, combined with the deliberate targeting of highly sensitive data, elevated the severity of the case.
The increased sentence sends a clear message about how Finnish courts are calibrating punishment in large scale cybercrime cases.
Finland’s statutory maximum for the relevant offences capped the court’s sentencing range at seven years. The judges acknowledged that, absent the conditional settlements, the maximum would have been imposed. The final term of six years and 11 months signals that the judiciary regarded the conduct as approaching the most serious form of these offences under Finnish law.
Yet the case also exposes structural limits. Even with tens of thousands of counts and thousands of identified victims, the sentencing framework imposed a ceiling that some observers argue does not fully reflect the magnitude of harm inflicted in digital mass victimisation.
The ruling may therefore influence ongoing debates about whether existing criminal statutes adequately address the realities of data driven crime in an era where a single breach can impact thousands simultaneously.
The procedural history has been as dramatic as the crimes themselves.
French police arrested Kivimaki near Paris in February 2023 following an international search. He was extradited to Finland and placed in pre trial detention. After more than two and a half years in custody, the district court released him in February 2024 during proceedings. The Court of Appeal later ordered him remanded again. He evaded authorities for approximately one week before police located him in a flat in central Helsinki.
During the appeal hearing in September, the court released him pending judgment, citing the length of his pre trial detention. Despite the possibility of seeking leave to appeal to the Supreme Court, the appeal court’s judgment is enforceable.
Under Finnish law, as a first time offender, Kivimaki becomes eligible for conditional release after serving half of his sentence. The Criminal Sanctions Agency will determine when he must report to prison to serve the remaining portion.
His lawyer, Peter Jaari, described the ruling as deeply disappointing and the least expected outcome among the defence’s alternatives. Jaari indicated that his client is currently abroad and that seeking leave to appeal is likely.
Beyond the individual sentence, the Vastaamo case has left a lasting scar on Finnish society.
Mental health treatment depends on trust. Patients must believe that what they disclose in therapy remains confidential. The breach shattered that assumption for thousands. It also forced institutions, regulators, and lawmakers to confront weaknesses in data protection oversight.
The case underscored the human cost of cybercrime. This was not abstract financial fraud. It involved deeply personal narratives exposed to the threat of public humiliation.
As separate proceedings continue in the district court, including charges against another individual for aiding aggravated extortion, the legal process remains unfinished. Yet the appellate ruling draws a decisive line. The Finnish judiciary has signalled that technologically sophisticated, financially motivated exploitation of vulnerable individuals will be treated at the highest end of the criminal scale available under current law.
In that sense, the Kivimaki sentence increased to nearly seven years in Vastaamo case is not merely a procedural development. It is a benchmark in how Finland confronts the intersection of digital systems, privacy, and criminal accountability.
