A faceless hacker stole my therapy notes – now my deepest secrets are online forever

A soon as Meri-Tuuli Auer saw the subject line in her junk folder, she knew it was no ordinary spam email. It contained her full name and her social security number - the unique code Finnish people use to access public services and banking.

The email was full of details about Auer no one else should know.

The sender knew she had been having psychotherapy through a company called Vastaamo. They said they had hacked into Vastaamo's patient database and that they wanted Auer to pay €200 (£175) in bitcoin within 24 hours, or the price would go up to €500 within 48 hours.

If she did not pay, they wrote, "your information will be published for all to see, including your name, address, phone number, social security number and detailed patient records containing transcripts of your conversations with Vastaamo's therapists".

"That's when the fear set in," Auer, 30, tells me. "I took sick leave from work, I closed myself in at home. I didn't want to leave. I didn't want people to see me."

She was one of 33,000 Vastaamo patients held to ransom in October 2020 by a nameless, faceless hacker.

They had shared their most intimate thoughts with their therapists including details about suicide attempts, affairs and child sexual abuse.

In Finland, a country of 5.6 million people, everyone seemed to know someone who had their therapy records stolen. It became a national scandal, Finland's biggest-ever crime, and the then Prime Minister Sanna Marin convened an emergency meeting of ministers to discuss a response.

But it was already too late to stop the hacker.

Before sending the emails to Vastaamo's patients, the hacker had published the entire database of records stolen from the company on the dark web and an unknown number of people had read or downloaded a copy. These notes have been circulating ever since.

Auer had told her therapist things that she didn't even want her closest family members to know - about her binge drinking, and a secret relationship she'd been having with a much older man.

Now, her worst fears had come true.

But instead of destroying her, the hack made her realise she was far more resilient than she could have ever imagined.

Auer's flat, on the outskirts of Helsinki, looks joyful. Barbie memorabilia fills her shelves and there's a pole-dancing pole in the centre of her living room. But don't be fooled by how things seem on the surface, Auer says. She has struggled with depression and anxiety for most of her life.

"I'm outgoing and very confident and I love being around people," Auer says, "but I get that inkling that they all think I'm stupid and ugly, and that my life is a continuum of mistakes."

Auer first sought help in 2015. She told her Vastaamo therapist about her mental health problems, her drinking and a relationship she'd had aged 18 with an older man she'd kept secret from her family. She says she trusted her therapist completely and with his help she made real progress. She had no idea what he had written in his notes of their conversations.

By the time she received the ransom email, news had already broken about the Vastaamo hack. Three days earlier, the extortionist had begun to drip-feed therapy notes on the dark web in batches of 100 a day, in the hope of putting pressure on the company to pay the much larger ransom - the bitcoin equivalent of around £400,000 - that he had been demanding from them for weeks.

Auer says she felt compelled to look through them.

"I had never used the dark web before. But I was thinking to myself, I just have to see if my records are there."

When she discovered they were not, she closed the file and didn't read anyone else's records, she says. But she saw how other people on the dark web were mocking patients' misery. "A 10-year-old child had gone to therapy, and people found it funny."

And a few days later, when it became clear the records of every Vastaamo patient had been published, Auer's mental health began to deteriorate.

Unsure who was responsible, or who might have read her most private thoughts, she became terrified to take public transport, leave home, or even open the door to the postman. She doubted the hacker would be found.

Finnish detectives also feared they wouldn't find the suspect given the volume of data they had to sift through.

"I couldn't even imagine the scale of it. This isn't a normal case," says Marko Lepponen, the detective who led the investigation for the Finnish police.

But after two years of investigation, in October 2022, they named their suspect: Julius Kivimäki, a known cybercriminal.

In February 2023 Kivimäki was arrested in France and transported back to Finland to face charges.

No courtroom is large enough for to accommodate the 21,000 former Vastaamo patients who had registered themselves as plaintiffs in the criminal case, so screenings were held in public spaces including cinemas to give them an opportunity to watch the trial.

Determined to see Kivimäki face justice, Auer attended one of the screenings and was struck by how unremarkable he looked.

"He looks just like a regular Finnish young man," she tells me. "It made me feel like it could have been anyone."

When he was found guilty, and sentenced to six years and seven months in prison, she says it felt like a validation.

"Whatever sentence he was given could never make up for everything. The victims' suffering was seen by the court - I was thankful for that."

Kivimäki continues to deny being responsible for the hack.

In the months after she learned about the hack, Auer requested a hard copy of her records from Vastaamo.

Her notes sit in a thick stack on the table between us as she tells me what happened.

Even though their records were released more than five years ago, Vastaamo patients continue to be victimised. Someone has even built a search engine that allows users to find records on the dark web just by typing in a person's name.

Auer agrees to share some of her leaked therapy records with me.

"The patient is mostly angry, impulsive, bitter," she says, reading some of the first notes her therapist wrote about their sessions. "The patient recounts their past in a rambling manner. There is some interpersonal difficulty stemming from the patient's weak-tempered nature, typical for their age."

When she read them for the first time she was heartbroken, Auer says. "I was hurt by how he had described me. It made me feel sorry for the person I had been."

She says the data breach has eroded patient trust. "There are a lot of people who were Vastaamo clients who had gone to therapy for years but are now never going to book another therapy session."

The lawyer representing Vastaamo's victims in a civil case against the hacker has told me she knows of at least two cases where people have taken their own lives after learning their therapy notes had been stolen.

Auer decided to confront her fears head on. She posted on social media about the hack, letting everyone know that she had been one of the victims.

"It was a a lot easier for me to know that everyone who knew me already knew," she says. She spoke to her family about what was in her leaked records, including the secret relationship she had never told them about before. "People were very supportive."

Finally, she chose to take back control of her story by publishing a book about her experiences. Loosely translated, the title is Everyone Gets to Know.

"I crafted it into a narrative. At least I can tell my side of the story – the one that's not visible in the patient records."

Auer has come to accept that her secrets will always be out there.

"For my own wellbeing, it's just better not to think about it."