A court in Finland announced its verdict on Julius “Zeekill” Kivimäki, one of the most infamous cybercriminals in Finland and former Lizard Squad member, for orchestrating the major hack of the Helsinki-basec psychotherapy center Vastaamo's patient database. Kivimäki has been sentenced to 6 years and 3 months in prison.

The Vastaamo breach came to light in October 2020, when a hacker under the moniker “Ransom Man” asked for an 450,000 euros ($485,000) ransom in bitcoin in exchange for not leaking patients’ private information.

After the medical facility refused to pay, the hacker began contacting individual patients, demanding they pay a ransom worth about 200 euros ($215) within 24 hours (or 500 euros ($540) if not paid within 48 hours), if they didn't want to see their private medical and financial details get leaked. Ultimately, over 20,000 records were leaked. The financial information stolen in the breach was also used to commit fraud.

Kivimäki, who hacked Vastaamo's database in autumn 2018, is said to have gained access to the center's sensitive patient data, comprising the personal information of approximately 33,000 individuals.

The hacker was arrested in France in February 2023 and extradited to Finland the same month. He was charged with multiple offenses, including aggravated data breach, invasion of privacy, attempted extortion, and blackmail.

During the trial, the prosecution pushed for the maximum penalty of seven years behind bars, emphasizing the gravity of Kivimäki's offenses and his disregard for the privacy and well-being of thousands affected by his actions. However, the court, while acknowledging the severity of the crimes and Kivimäki's reckless conduct, also took into consideration his agreement to conditional settlements on compensation claims with numerous plaintiffs.

Although Kivimäki had a prior conviction for fraud, stemming from false distress calls made to American Airlines and US authorities in 2014 when he was just 16-17 years old, he had not served any prison time in the five years preceding the Vastaamo breach, rendering him a first-time offender under Finnish law.

In April last year, the former top manager of Vastaamo Ville Tapio received a three-month suspended sentence for his failure to secure patient health records, as required under the EU's General Data Protection Regulation (GDPR).