When Confidentiality Fails: Lessons from the Vastaamo Therapy Records Scandal

Kevin Modiri

Reading time: 4 minutes

When we talk about data breaches in a legal context, it is often abstract; infosec teams patching servers, regulators issuing fines, class actions filed in courts. But every now and then, a case comes along that brings home just how deeply the law intersects with human vulnerability. The recent revelations about the Vastaamo data breach in Finland (as reported by BBC news on 17 January 2026 – see Vastaamo hack: My darkest secrets were revealed to the world – BBC News), where deeply personal therapy notes from around 33,000 patients were stolen, used to extort those individuals and ultimately published on the dark web, is exactly that sort of case.

As a solicitor advising on civil claims arising from data breaches, I advise on two sides of these cyber incidents: the duties and exposures of organisations that hold data; and the rights and remedies for individuals whose privacy has been violated. The Vastaamo fiasco starkly illustrates both.

What happened?

In late 2020, the private psychotherapy provider Vastaamo in Finland confirmed that its patient database had been breached. The attackers gained unauthorised access to psychotherapy session records, including social security numbers, email addresses and the most sensitive personal disclosures patients had made during therapy.

In an escalation that sent shockwaves through privacy and cybersecurity circles, the perpetrator didn’t just demand ransom from the organisation. When the company didn’t pay, he directly extorted the patients themselves: threatening to publish their most intimate communications unless they paid sums to him in bitcoin.

Eventually, the hacker, eventually identified as Finnish national Aleksanteri Kivimäki, was arrested in France and extradited to Finland, where he was tried and convicted on charges including aggravated data breach and extortion, receiving a term of over six years’ imprisonment.

From an English & Welsh civil law perspective

Many organisations I work with understand that a breach can damage their organisation’s reputation or lead to regulatory fines under GDPR. What the Vastaamo case makes painfully clear is that data breaches can lead to profound personal harm and significant civil liability.

  1. The nature of “special category” data

Therapy notes are what UK GDPR and the UK Data Protection Act refer to as special category data, which includes information that is intrinsically sensitive, such as health and psychological conditions. Processing this data carries heightened obligations: organisations must implement appropriate technical and organisational measures to protect such data. In the Vastaamo case, investigators later found that basic safeguards like encryption, anonymisation and robust access controls had not been properly implemented.

In civil claims here in England & Wales, failure to implement appropriate safeguards is likely to be central to any action for damages. Damages can be awarded not only for financial loss but also for distress and emotional harm. Usually anything other than distress that is significant is only likely to be awarded nominal damages and that usually presents a significant bar to the viability of pursuing such claims to Trial.

  1. The duty beyond breach notification

Under the UK GDPR, controllers must notify the Information Commissioner’s Office (ICO) without undue delay if a breach is likely to result in a risk to individuals’ rights and freedoms. They must also communicate that breach to affected data subjects. Failing to do so can expose a controller not only to regulatory action but also to civil claims.

In the Vastaamo scenario, the full extent of the breach was reportedly not disclosed for a prolonged period, a delay that allowed the extortion scheme to take root and exacerbated harm to patients.

  1. Tortious claims: negligence and invasion of privacy

In England & Wales, a victim suffering real harm from a data breach can pursue a claim for breach of the Data Protection Act but also in negligence if it can be shown:

  • the organisation owed a duty of care to protect data;
  • it breached that duty by failing to take reasonable precautions; and
  • the breach caused reasonably foreseeable harm.

The scale of Vastaamo, involving thousands of individuals, most of them vulnerable, underscores why organisations holding sensitive data owe a high duty of care. In cases where especially intimate data is involved, there may also be scope for claims under the actionable tort of misuse of private information, which has been recognised in our courts where confidentiality is deeply breached.

  1. Psychological harm & not just financial loss

One of the hardest lessons from Vastaamo is the testimonies of victims who describe the breach as a ruin of trust, not just a data leak. Mental health records are not credit card numbers; they are the diaries of the mind. The very idea that personal thoughts, anxieties and traumas were exposed and resold or published compounds the harm.

In civil claims here, courts can and do award damages for mental injury where it is a reasonably foreseeable result of a defendant’s breach. The interplay between data protection obligations and established civil wrongs means that damages for distress and psychological damage could be significant.

What organisations should do now

For organisations in the UK processing personal or sensitive data, the lessons are stark:

  • Review and test security measures: encryption, access control, logging and monitoring are not optional;
  • Document everything: risk assessments, DPIAs, incident response plans and training records;
  • Act quickly and transparently in a breach: delay compounds liability; and
  • Get expert legal and forensic support at first sign of trouble.

These steps are not just regulatory checkboxes; they can make a critical difference between managing a breach and being embroiled in years of litigation.

How can we help?Contentious Probate Case Management

Kevin Modiri is a Partner in our expert Dispute Resolution team, specialising in civil disputes, insolvency, inheritance disputes, data breach claims and defamation claims.

If you’re facing a defamation issue or need advice about protecting your reputation, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.

Contact us
This article is for information only and does not constitute legal/financial advice. Please contact us for advice tailored to your specific position. Some of the content presented on our website has been generated with the assistance of Artificial Intelligence (AI). We ensure that all AI-generated content meets our high standards for accuracy and relevance.
Contact us today

We're here to help.

Call us on 0800 024 1976

Main Contact Form

Used on contact page

  • Email us