Vastaamo Data Breach — Attack on Human Security, Dignity and Equity

CyberPeace Institute

Juliana Crema and Bernhard Schneider, staff members of the CyberPeace Institute, argue that inaddition to the technical issues, there is always a human element to take into account when examining the impact of cyberattacks.

Reports have been made public about a cyberattack against Vastaamo, a private company which runs 25 psychotherapy centres in Finland . Following previous data breaches in November 2018 and March 2019, it has been reported that attackers recently contacted staff at Vastaamo, demanding a ransom of EUR 450,000 (40 Bitcoins) for documents and patient medical records. Vastaamo refused to do this, and so the attackers began to  leak patient data onto the dark web, and are threatening to release a further 100 patient records for every day that the ransom is not paid.  In an attempt to acquire further payment, the attackers offered to delete data of patients affected by the breach in return for EUR 500. In  addition, the attackers began to contact the patients directly via email using the pseudonym “ransom_man”, and giving a deadline of 72 hours to pay a ransom.

Human impact of cyberattacks

Despite the highly sensitive nature of the information implicated in this attack, several victims have come forward to voice their outrage and concern, demonstrating the profound impact of cyberattacks on people; in addition to the technical aspect, there is always the human element to take into account, and therefore human security, human dignity, and human equity should always be considered when examining the impact of cyberattacks. 

As reported by Politico, one victim impacted by this cyberattack said “It was scary. I have never experienced anything like that… I don’t feel ashamed about going to therapy. But someone has all my other information, and they could steal my identity.” This is just one example of how a cyberattack can negatively impact someone’s sense of security, their dignity, and their ability to participate in society without fear of retribution. This particular case also reveals  the wide scope contained within vulnerable communities, as people from a range of ages, backgrounds, and histories were impacted. The particularly sensitive nature of the information is highlighted by another victim as reported by the BBC, who stated “I’m anxious about the fact that the attackers are in possession of my notes and conversations from those psychiatrist sessions… Those notes contain things I’m not ready to share with the world.” 

A lack of  boundaries and accountability 

Documenting the societal impact of cyberattacks is as important as information-sharing. In Finland, a sense of national unity and solidarity with the victims has emerged on social media and television, showing that the effects of cyberattacks transcends the technological aspects and has a real impact on people. It is of utmost importance that victims report cyberattacks to their local authorities, but it is also crucial to make these voices heard to allow true cyberpeace to exist. The CyberPeace Institute is working to lay the foundations for systemic change in cyberspace by refocusing the discussion and response efforts on those who are impacted. As the Vastaamo breach demonstrated, such cases must be reported when they occur, and strong cybersecurity measures need to be in place to protect sensitive data. Governments should enforce existing laws and allow for fast and efficient investigations to minimize the impact of future attacks. In line with this, the CyberPeace Institute has called on all governments to protect their critical civilian infrastructure from the harmful impact of cyber operations, and has launched the Cyber 4 Healthcare initiative to provide free support to healthcare professionals to acquire and improve their cyber security capabilities.  

The Vastaamo data breach reminds us that cyberattacks have a long-lasting and potentially devastating impact on people’s lives. To work towards a stable and inclusive cyberspace, we need to ensure that human security, dignity, and equity are upheld and respected everywhere.


The CyberPeace Institute is an independent, non-profit organization with the mission to enhance the stability of cyberspace. It does so by supporting vulnerable communities, analysing attacks collaboratively, and advancing responsible behaviour in cyberspace.

© Copyright: The CyberPeace Institute

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.


Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.


Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.