Then a Hacker Began Posting Patients’ Deepest Secrets Online

The next morning, Jere checked Twitter, where he was both horrified and relieved to learn that thousands of others had received the same threat. “Had I been one of the only people to get the mail, I would have been more scared,” he says.

Vastaamo ran the largest network of private mental-health providers in Finland. In a country of just 5.5 million—about the same as the state of Minnesota—it was the “McDonald’s of psychotherapy,” one Finnish journalist told me. And because of that, the attack on the company rocked all of Finland. Around 30,000 people are believed to have received the ransom demand; some 25,000 reported it to the police. On October 29, a headline in the Helsinki Times read: “Vastaamo Hacking Could Turn Into Largest Criminal Case in Finnish History.” That prediction seems to have come true.

If the scale of the attack was shocking, so was its cruelty. Not just because the records were so sensitive; not just because the attacker, or attackers, singled out patients like wounded animals; but also because, out of all the countries on earth, Finland should have been among the best able to prevent such a breach. Along with neighboring Estonia, it is widely considered a pioneer in digital health. Since the late 1990s, Finnish leaders have pursued the principle of “citizen-centered, seamless” care, backed up by investments in technology infrastructure. Today, every Finnish citizen has access to a highly secure service called Kanta, where they can browse their own treatment records and order prescriptions. Their health providers can use the system to coordinate care.

Vastaamo was a private company, but it seemed to operate in the same spirit of tech-enabled ease and accessibility: You booked a therapist with a few clicks, wait times were tolerable, and Finland’s Social Insurance Institution reimbursed a big chunk of the session fee (provided you had a diagnosed mental disorder). The company was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the company with his parents. They pitched ­Vastaamo as a humble family-run enterprise committed to improving the mental health of all Finns.

For nearly a decade, the company went from success to success. Sure, some questioned the purity of Tapio’s motives; Kristian Wahlbeck, director of development at Finland’s oldest mental health nonprofit, says he was “a bit frowned-upon” and “perceived as too business-minded.” And yes, there were occasional stories about Vastaamo doing shady-seeming things, such as using Google ads to try to poach prospective patients from a university clinic, as the newspaper Iltalehti reported. But people kept signing up. Tapio was so confident in what he’d created that he spoke about taking his model overseas.

Before “the incident,” Tapio says, “Vastaamo produced a lot of social good.” Now he is an ex-CEO, and the company he founded is being sold for parts. “I’m so sad to see all the work done and the future opportunities suddenly go to waste,” he says. “The way it ended feels terrible, unnecessary, and unjustified.”

Tapio grew up in a “peaceful and green” neighborhood in northern Helsinki during a bad recession. His mother, Nina, was a trauma psychotherapist, and his father, Perttu, a priest. His grandparents gave him a used Commodore 64 when he was 10, which led him to an interest in coding. Something in his brain resonated with the logical challenge of it, he says. He also saw it as a “tool to build something real.”

The obsession endured: In middle school Tapio coded a statistics system for his basketball team, and in high school he worked for the Helsinki Education Department, showing teachers how to use their computers. Rather than going to college, he set up an online shop selling computer parts—his first business, funded with “a few tens of euros,” he says. A couple of years later, at age 20, he joined a small management consultancy.

Be the first to comment

Leave a Reply

Your email address will not be published.


*