My darkest secrets were revealed to the world

As soon as Meri-Tuuli Auer saw the subject line in her junk folder, she knew this was no ordinary spam email. It contained his full name and social security number (the unique code Finns use to access public services and banking).

The email was full of details about Auer that no one should know.

The sender knew that he was receiving psychotherapy through a company called Vastaamo. They said they hacked into Vastaamo’s patient database and asked Auer to pay €200 (£175) in bitcoin within 24 hours or the price would rise to €500 within 48 hours.

If he doesn’t pay, “your information, including your name, address, phone number, social security number, and detailed patient records containing transcripts of your conversations with Vastaamo’s therapists, will be released for public viewing,” they wrote.

“That’s when the fear set in,” Auer, 30, told me. “I took sick leave from work, locked myself in the house. I didn’t want to leave. I didn’t want people to see me.”

He was one of 33,000 Vastaamo patients held for ransom by a nameless and faceless hacker in October 2020.

They had shared their most intimate thoughts with their therapists, including details about suicide attempts, affairs, and child sexual abuse.

In Finland, a country of 5.6 million people, everyone seemed to know someone who had their therapy records stolen. This became a national scandal, Finland’s worst crime ever, and then-Prime Minister Sanna Marin called an emergency meeting of ministers to discuss the response.

But it was too late to stop the hacker.

Before sending the emails to Vastaamo’s patients, the hacker had posted the entire database of records stolen from the company on the dark web, and an unknown number of people had read or downloaded a copy. These notes have been circulating ever since.

Auer had told his therapist things he didn’t want even his closest family members to know; about her excessive drinking and secret affair with a much older man.

Now their worst fears had come true.

But instead of destroying him, the hack made him realize that he was much more resilient than he could have ever imagined.

Auer’s apartment on the outskirts of Helsinki looks cheerful. Barbie memorabilia fills her shelves, and there’s a pole dancing pole in the middle of the living room. But Auer says don’t be fooled by how things appear on the surface. He has struggled with depression and anxiety for most of his life.

“I’m outgoing and very confident, and I love being around people, but I feel like they all think I’m stupid and ugly and that my life is a mess of mistakes,” says Auer.

Auer first sought help in 2015. Vastaamo told her therapist about her mental health problems, her drinking, and an affair she had with an older man when she was 18, which she hid from her family. He says he completely trusts his therapist and is making real progress with his help. He had no idea what he had written in his notes of their conversations.

By the time he received the ransom email, news about the Vastaamo hack had already emerged. Three days earlier, the extortionist had begun dripping therapy notes on the dark web in batches of 100 a day, hoping to pressure the company into paying the much larger ransom (the bitcoin equivalent of around £400,000) that he had been demanding for weeks.

Auer says he felt compelled to study them.

“I had never used the dark web before. But I was thinking to myself that I should see if my records were there.”

When he discovered it wasn’t, he closed the file and didn’t read anyone else’s records, he says. But he saw how other people on the dark web made fun of patients’ suffering. “A 10-year-old kid went to therapy and people thought it was funny.”

A few days later, when it became clear that the records of all Vastaamo patients had been published, Auer’s mental health began to fail.

Unsure of who was in charge or who was reading her most private thoughts, she was afraid to take public transportation, leave the house, or even open the door for the postman. He doubted the hacker would be found.

Finnish detectives also feared they would not be able to find the suspect due to the amount of data they had to review.

“I couldn’t even imagine the magnitude of the incident. This is not a normal case,” says detective Marko Lepponen, who led the investigation on behalf of the Finnish police.

However, after two years of investigation, they named the suspect in October 2022: Julius Kivimäki is a known cybercriminal.

In February 2023, Kivimäki was arrested in France and sent back to Finland to face charges.

Since no courtroom was large enough to accommodate the 21,000 former Vastaamo patients who had registered themselves as plaintiffs in the criminal case, screenings were held in public places, including cinemas, to give the opportunity to watch the trial.

Determined to see Kivimäki face justice, Auer attended one of the screenings and was stunned by how ordinary he looked.

“He looks like an ordinary Finnish young man,” he tells me. “It gave me the feeling that it could be anyone.”

When found guilty and was sentenced to six years and seven months in prison, He says it felt like validation.

“Whatever sentence was given to him could not make up for everything. The suffering of the victims was seen by the court, and for that I was grateful.”

Kivimäki continues to deny responsibility for the attack.

In the months after learning of the attack, Auer requested a hard copy of his records from Vastaamo.

His notes lie in a thick pile on the table between us as he tells me what happened.

Vastaamo patients continue to be victimized even though their records were published more than five years ago. Someone even developed a search engine that allows users to find records on the dark web by simply typing a person’s name.

Auer agrees to share some of the leaked therapy records with me.

“The patient is often angry, impulsive, and harsh,” she says, reading some of the first notes her therapist wrote about her sessions. “The patient describes his past in a rambling manner. The patient has some interpersonal difficulties arising from his weak-tempered nature, which is typical for his age.”

Auer says she was heartbroken when she first read them. “I was hurt by the way he described me. It made me feel sorry for the person I was.”

He says the data breach eroded patient trust. “There are many people who are Vastaamo customers who have been going to therapy for years but will no longer book another therapy session.”

The lawyer representing Vastaamo victims in a civil lawsuit against the hacker told me that he knew of at least two cases in which people took their own lives after learning their therapy notes had been stolen.

Auer decided to face his fears head on. She posted about the attack on social media, letting everyone know that she was one of the victims.

“It was a lot easier for me to know that everyone who knew me already knew,” he says. She talked to her family about what was happening in her leaked recordings, including the secret relationship she had never talked about before. “People were very supportive.”

She eventually chose to take back control of her story by publishing a book about her experiences. Loosely translated, the title is Everyone Will Know It.

“I turned it into a narrative. At least I can tell my side of the story—the side that doesn’t show up in the patient records.”

Auer has come to accept that his secrets will always be out there.

“For my own sake, it’s better not to think about it.”