Knowing the timeline of events and the nicknames attributed to him (ryanlol included), some interesting posts can be found. For example, in the period between the CEO starting communication (September 2020) and the clinic's public admission (October 2020) [1], ryanlol replied to a top comment (Oct 3, 2020): "If you’re a hospital or, say, a school district, 'never pay' is simply an unconscionable attitude" [2]. Isn't it a hacker raging at the management that refuses to pay?
I find it strange to report on a hacker releasing personal information, while building the narrative of the story with all of the personal details like "she’d had three children by the time she was 25, including twins who had been born extremely prematurely in the 1980s, weighing only a few hundred grams each", "crumbling marriage", and suicidal ideations.
I thought the whole point is that they were upset that their personal life was being broadcasted to the internet.
As per (AFAIK) this hacker's rant on some Tor-based image board, he gloated the login credentials to the Vastaamo's systems were admin:admin. So much for 'hacker god'. This is a Hackers (1995) tier vulnerability. Also, it's sickening that YOLOing security to this extent is even possible in 2020s.
> "Unfortunately, we have to ask you to pay to keep your personal information safe.”
I can't put my finger on why, but the faux "aw shucks, our hands are tied" makes me even more pissed off by the fact that they're leaking people's therapy notes. Just come out and say you're an amoral money seeker.
I'm a broken record about this by now, but stories like these keep reminding me how broken the law is for ethical hackers in Germany. If an ethical hacker found something like this in Germany, it would from my knowledge not be clear if entering an empty password counts as "circumventing or breaking a security barrier". "No password barrier" has recently been clarified in courts, but "Static Password" hasn't.
And once you break a security barrier, you're breaking the law. Even GDPR doesn't help you there - that just ensures more people are breaking different laws. And this can get all your devices seized, land you in jail, end your career, cause thousands of Euros of equipment loss, because the new laptop naturally got lost in the return process after 6 - 12 months.
And thus, many people with the skill to find such problems and report them silently to get them closed do ... nothing. Until bad people find these holes and what the article describes happens. And Europe has hacker groups who could turn our cybersecurity upside down in a good way. Very frustrating topic.
> At the end of the trial, however, this had little impact on the verdict. The presiding judge stated for the record that the mere fact that the [publicly available] software had set a password for the connection meant that viewing the raw data of the [publicly available] program and subsequently connecting to the [publicly available] Modern Solution database constituted a criminal offense under the hacker paragraph.
Yes, taking publicly available data verbatim (no ROT13, nothing) and talking to a publicly available server on the internet can in fact be a criminal offense.
Thank you for providing an example that is exactly showing how messed up this is:
> Der Vorsitzende Richter gab zu Protokoll, dass alleine die Tatsache, dass die Software ein Passwort für die Verbindung gesetzt habe, bedeute, dass ein Blick in die Rohdaten des Programms und eine anschließende Datenbankverbindung zu Modern Solution den Straftatbestand des Hackerparagrafen erfülle
> The Judge gave to protocol that just the fact that the software requires a password for the connection, implies that a look at the raw data of the program and a subsequent database connection is considered hacking.
So yes, entering an empty password can cause all of your electronic devices in all your registered residences to be seized as evidence.
Note that the decompilation is on the complexity level of "strings $binary".
"the patient records database was accessible via the internet; there was no firewall and, perhaps most egregiously, it was secured with a blank password, so anyone could just press enter and open it"
There _should_ be a bunch of people in jail for that. Including, but not limited to the CEO. It should also include all the people on the org chart between whoever set that database up and the CEO.
Indeed, the CEO was held criminally liable, but the charges were dropped in a higher court just recently. From the article:
"In April 2023, Tapio was found guilty of criminal negligence in his handling of patient data. His conviction was overturned on appeal in December 2025. (He declined my requests to interview him.)"
More specifically, he was charged of a data protection crime (i.e., note that in Finland these GDPR-like things are also in the criminal law). However, based on local news, I suppose there was not enough evidence that it was specifically a responsibility of a CEO or that CEO-level gross negligence occurred.
According to this report [1] the appeal was about specific requirements like encryption, and he claimed he had delegated it. So it is clear that it is hard to actually hold people responsible.
> The appellate court rejected the prosecution's argument and dismissed all charges. In its unanimous decision, the court stated that neither the GDPR nor the applicable Finnish healthcare legislation required encryption or pseudonymisation of patient data at the time in question.
> Prosecutors alleged that Tapio knew about the March 2019 breach and failed to act. They claimed he neglected legal obligations to report and document the incident and did not take sufficient steps to protect the database. Tapio denied the claims, saying he was unaware of the breach until autumn 2020 and had delegated technical oversight to external IT professionals.
> The court found there was no clear legal requirement at the time obliging Tapio, as CEO, to take the specific security measures cited by the prosecution. These included firewall management, password policies, access controls, VPN implementation, and security updates.
> According to the ruling, the failure to adopt such measures did not, in the court’s view, constitute criminal negligence under Finnish law.
> Tapio’s conduct during and after the 2019 breach did not meet the threshold for criminal liability, the court concluded.
Funny whenever people complain about the GDPR here they're thinking they would be slapped with a €20Mi fine and that EU team 6 is going to parachute in their office and arrest everyone
> Exactly, was it a burglary when your front door is open, lights on, spotlights on your wall safe, with the keys still inserted?
The thing isn't just the discovery of the "open door", though. Thousands of people were extorted in a pretty heinous way. Even if we say breaking in took little sophistication or effort, what was done with the data also matters.
>Exactly, was it a burglary when your front door is open
Legally speaking, yes in every place I've ever lived if all those things are the case it's still a burglary, although the cops may call the victim an idiot.
Yes. Similarly, If I leave my car unlocked with the keys in the ignition, and someone takes it is still a crime. It might be unwise to do that (depending on where you are), but nonetheless it is still crime.
It's an odd position to take, that a crime was not committed or the offense isn't as bad if the difficulties of committing the crime have been removed or reduced.
Someone presented a hypothetical scenario: What if a hacker would write a virus, which breached a totally unprotected database after the hacker has passed away. It's clear that the therapy provider is at least partially responsible.
Yup, I heard of an ERP full of microservices and many endpoints dont check authorization at all and the auth mechanism doesnt check valid user credentials. Seems like they are very common.
Still reading the story but just hit that line and came here to snarkily post, “another MongoDB success story”. I should probably talk to my therapist about this desire to be seen as funny.
Unfortunately that relies on Joe Tidy as the source.
I tend to refrain from being overly critical of journalists who write about me, but Joe Tidy is a special kind of idiot who wrote an entire book about me based mostly around interviews of people who aren't actually the people they claim to be.
In some circumstances it has a registration wall. I recently ran into it on one of my computers, and it prevented me from reading some articles until I removed the modals with browser devtools. Stupid and pointless, and just pushes people away or towards workarounds like archive.is. I've given The Guardian money in the past but I don't have or want an account.
Just because you immediately clicked "yeah sure sell all my data so I don't have to pay" doesn't mean it's not paywalled, please be a little more discerning.
He’s done less than seven years of time, shows no remorse and even denies doing it in the first place. You dropped the ball on this Finland, don’t be surprised when he does it again. What a disgusting human being.
I'd bet good money that this dude has some sort of antisocial personality disorder, and really can't be "cured", so to speak.
Something tells me he'll try to sneak out of Finland (which is easy due to Schengen), purchase a new passport, and leave Europe.
I guess a silver lining here is the possibility that he'll commit crimes in countries with far harsher penalties than Finland.
I've lived in Finland myself, and currently live in Norway. Lax punishments for the sake of rehabilitation is the standard, and I'm fine with that. But some people, like this one, simply can't be rehabilitated.
This isn't a great solution, but it has helped me forgive myself, maybe it can be a trend in the future: You didn't pick your DNA, you didn't pick your environment. (Determinism in a nutshell)
The bad things that happened to you, and the bad thing you did, should be seen as somewhat outside our control.
I think of my worst google searches (nsfw stuff) and think: "Well, I'm just a chemical reaction."
But then again, I read the book A Billion Wicked Thoughts and found I'm pretty vanilla, we just don't talk about these things out loud.
Maybe my life is tame, but even when I hear from other people, everything seems pretty reasonable.
I know this is an 'after the fact' fix, but its a tool for our toolbox. We could look at people who criticize us as people who are ignorant of Determinism. (But we still need mechanisms to deter bad behavior)
Any insurance covered therapy in the US. And assume any private practice that does not explicitly state they do not electronically store session notes.
Apart from therapy, I expect a lot of sensitive and private information to be hacked and released in the next 10 years. Most importantly, all non securely encrypted text based communications.
Ethically speaking it seems like you should not be accessing commercial news sites if you're not willing to pay in some way for the work of the people writing the articles.
Show context-based ads instead of spying on people would be a good start. That should be the only form of legal advertising. It is for sure the only form of potentially ethical advertising.
I also pay to get past paywalls when a site has content I want to read, rather than try to sneak past using some dodgy mirror.
"Jazz police are looking through my folders. Jazz police are talking to my niece. Jazz police have got their final orders. Jazzer, drop your axe, it's jazz police!"
Knowing the timeline of events and the nicknames attributed to him (ryanlol included), some interesting posts can be found. For example, in the period between the CEO starting communication (September 2020) and the clinic's public admission (October 2020) [1], ryanlol replied to a top comment (Oct 3, 2020): "If you’re a hospital or, say, a school district, 'never pay' is simply an unconscionable attitude" [2]. Isn't it a hacker raging at the management that refuses to pay?
[1] https://news.ycombinator.com/item?id=24672687
>Isn't it a hacker raging at the management that refuses to pay?
Nope
Julius Kivimäki was released pending the outcome of his appeal. https://www.bankinfosecurity.com/finnish-vastaamo-hacker-fre...
The article cites "Ryan" as one of his aliases, so the id ryanlol commenting in this thread could plausibly be Kivimäki.
Could plausibly be, but there are many people using the name 'Ryan'. Maybe this one saw an opportunity to troll everyone.
https://news.ycombinator.com/item?id=40214049
I find it strange to report on a hacker releasing personal information, while building the narrative of the story with all of the personal details like "she’d had three children by the time she was 25, including twins who had been born extremely prematurely in the 1980s, weighing only a few hundred grams each", "crumbling marriage", and suicidal ideations.
I thought the whole point is that they were upset that their personal life was being broadcasted to the internet.
Maybe they agreed to those details being published.
probably because the secrets released were much more confidential and serious than that?
Also consent.
Wait for the other person to do so willingly seems kinda good advice in many areas.
Wasn't he the guy that used tar for the leaked folder of data, but the tar included his user folder which contained his legal name?
It's in the article. Not sure it had his name, but certainly his family name since he looked for records concerning his relatives.
Ah yes-- I first heard of this via an entertaining video about it, "One Drunken Mistake Destroyed Finland's Scummiest Hacker", see below.
https://www.youtube.com/watch?v=pyCcvPfT_jU
7 replies →
The queries appear to have been looking for me specifically, filtering by date of birth. That wouldn't be a good way to find my relatives.
2 replies →
Yes, the tar command claims another victim. Tested while inside /var/www/html/vastaamo and then stuffed it in the crontab.
For reference:
No, that did not actually happen.
What did happen, then?
Is this the same ryanlol that hacked Linode and had beef with them over some bitcoins that Linode stole from him?
As per (AFAIK) this hacker's rant on some Tor-based image board, he gloated the login credentials to the Vastaamo's systems were admin:admin. So much for 'hacker god'. This is a Hackers (1995) tier vulnerability. Also, it's sickening that YOLOing security to this extent is even possible in 2020s.
> "Unfortunately, we have to ask you to pay to keep your personal information safe.”
I can't put my finger on why, but the faux "aw shucks, our hands are tied" makes me even more pissed off by the fact that they're leaking people's therapy notes. Just come out and say you're an amoral money seeker.
I'm a broken record about this by now, but stories like these keep reminding me how broken the law is for ethical hackers in Germany. If an ethical hacker found something like this in Germany, it would from my knowledge not be clear if entering an empty password counts as "circumventing or breaking a security barrier". "No password barrier" has recently been clarified in courts, but "Static Password" hasn't.
And once you break a security barrier, you're breaking the law. Even GDPR doesn't help you there - that just ensures more people are breaking different laws. And this can get all your devices seized, land you in jail, end your career, cause thousands of Euros of equipment loss, because the new laptop naturally got lost in the return process after 6 - 12 months.
And thus, many people with the skill to find such problems and report them silently to get them closed do ... nothing. Until bad people find these holes and what the article describes happens. And Europe has hacker groups who could turn our cybersecurity upside down in a good way. Very frustrating topic.
Hard-coded, publicly available credentials are criminal to circumvent in germany. See https://www.heise.de/en/news/Modern-Solution-Court-of-Appeal... which is now settled, since the appeal was rejected. https://www.heise.de/en/news/Federal-Constitutional-Court-re...
> At the end of the trial, however, this had little impact on the verdict. The presiding judge stated for the record that the mere fact that the [publicly available] software had set a password for the connection meant that viewing the raw data of the [publicly available] program and subsequently connecting to the [publicly available] Modern Solution database constituted a criminal offense under the hacker paragraph.
Yes, taking publicly available data verbatim (no ROT13, nothing) and talking to a publicly available server on the internet can in fact be a criminal offense.
Thank you for providing an example that is exactly showing how messed up this is:
> Der Vorsitzende Richter gab zu Protokoll, dass alleine die Tatsache, dass die Software ein Passwort für die Verbindung gesetzt habe, bedeute, dass ein Blick in die Rohdaten des Programms und eine anschließende Datenbankverbindung zu Modern Solution den Straftatbestand des Hackerparagrafen erfülle
> The Judge gave to protocol that just the fact that the software requires a password for the connection, implies that a look at the raw data of the program and a subsequent database connection is considered hacking.
So yes, entering an empty password can cause all of your electronic devices in all your registered residences to be seized as evidence.
Note that the decompilation is on the complexity level of "strings $binary".
2 replies →
"the patient records database was accessible via the internet; there was no firewall and, perhaps most egregiously, it was secured with a blank password, so anyone could just press enter and open it"
There _should_ be a bunch of people in jail for that. Including, but not limited to the CEO. It should also include all the people on the org chart between whoever set that database up and the CEO.
Indeed, the CEO was held criminally liable, but the charges were dropped in a higher court just recently. From the article:
"In April 2023, Tapio was found guilty of criminal negligence in his handling of patient data. His conviction was overturned on appeal in December 2025. (He declined my requests to interview him.)"
More specifically, he was charged of a data protection crime (i.e., note that in Finland these GDPR-like things are also in the criminal law). However, based on local news, I suppose there was not enough evidence that it was specifically a responsibility of a CEO or that CEO-level gross negligence occurred.
According to this report [1] the appeal was about specific requirements like encryption, and he claimed he had delegated it. So it is clear that it is hard to actually hold people responsible.
> The appellate court rejected the prosecution's argument and dismissed all charges. In its unanimous decision, the court stated that neither the GDPR nor the applicable Finnish healthcare legislation required encryption or pseudonymisation of patient data at the time in question.
> Prosecutors alleged that Tapio knew about the March 2019 breach and failed to act. They claimed he neglected legal obligations to report and document the incident and did not take sufficient steps to protect the database. Tapio denied the claims, saying he was unaware of the breach until autumn 2020 and had delegated technical oversight to external IT professionals.
> The court found there was no clear legal requirement at the time obliging Tapio, as CEO, to take the specific security measures cited by the prosecution. These included firewall management, password policies, access controls, VPN implementation, and security updates.
> According to the ruling, the failure to adopt such measures did not, in the court’s view, constitute criminal negligence under Finnish law.
> Tapio’s conduct during and after the 2019 breach did not meet the threshold for criminal liability, the court concluded.
[1] https://www.helsinkitimes.fi/finland/finland-news/domestic/2...
16 replies →
Funny whenever people complain about the GDPR here they're thinking they would be slapped with a €20Mi fine and that EU team 6 is going to parachute in their office and arrest everyone
So they're saying this is not the case?
9 replies →
Exactly, was it a burglary when your front door is open, lights on, spotlights on your wall safe, with the keys still inserted?
The CEO should be in prison.
> The CEO should be in prison.
Yes.
> Exactly, was it a burglary when your front door is open, lights on, spotlights on your wall safe, with the keys still inserted?
The thing isn't just the discovery of the "open door", though. Thousands of people were extorted in a pretty heinous way. Even if we say breaking in took little sophistication or effort, what was done with the data also matters.
>Exactly, was it a burglary when your front door is open
Legally speaking, yes in every place I've ever lived if all those things are the case it's still a burglary, although the cops may call the victim an idiot.
8 replies →
Yes. Similarly, If I leave my car unlocked with the keys in the ignition, and someone takes it is still a crime. It might be unwise to do that (depending on where you are), but nonetheless it is still crime.
Technically, yes it is still burglary.
It's an odd position to take, that a crime was not committed or the offense isn't as bad if the difficulties of committing the crime have been removed or reduced.
11 replies →
Someone presented a hypothetical scenario: What if a hacker would write a virus, which breached a totally unprotected database after the hacker has passed away. It's clear that the therapy provider is at least partially responsible.
3 replies →
Is it still assault if the guy is just standing there, within punching distance, without even wearing a helmet?
1 reply →
Yes it absolutely is still a burglary. Classic victim blaming.
3 replies →
Yup, I heard of an ERP full of microservices and many endpoints dont check authorization at all and the auth mechanism doesnt check valid user credentials. Seems like they are very common.
Still reading the story but just hit that line and came here to snarkily post, “another MongoDB success story”. I should probably talk to my therapist about this desire to be seen as funny.
Having now read it, the CEO did get convicted.
There's a nice episode from darknetdiaries about it https://darknetdiaries.com/episode/159/
Unfortunately that relies on Joe Tidy as the source.
I tend to refrain from being overly critical of journalists who write about me, but Joe Tidy is a special kind of idiot who wrote an entire book about me based mostly around interviews of people who aren't actually the people they claim to be.
Is there a perspective or analysis that you've read that does a good job, in your opinion?
Do we really only catch the laziest hackers? The opsec is shocking.
>The opsec is shocking
If you choose to blindly believe what the prosecution claims, sure.
You're the guy in the article? Could you elaborate and share more of your side of the story?
2 replies →
Yes
> he had not only accidentally uploaded all of the therapy notes, but also his entire home folder
Lol. At least it's a good reminder about bad opsec.
https://archive.is/7uCnb
https://archive.is/7uCnb
The Guardian doesn’t have a paywall
In some circumstances it has a registration wall. I recently ran into it on one of my computers, and it prevented me from reading some articles until I removed the modals with browser devtools. Stupid and pointless, and just pushes people away or towards workarounds like archive.is. I've given The Guardian money in the past but I don't have or want an account.
Just because you immediately clicked "yeah sure sell all my data so I don't have to pay" doesn't mean it's not paywalled, please be a little more discerning.
1 reply →
It does. I pay with money (eg I'm forced to pay for a subscription) or ads (I'm forced to pay with resources)
He’s done less than seven years of time, shows no remorse and even denies doing it in the first place. You dropped the ball on this Finland, don’t be surprised when he does it again. What a disgusting human being.
I'd bet good money that this dude has some sort of antisocial personality disorder, and really can't be "cured", so to speak.
Something tells me he'll try to sneak out of Finland (which is easy due to Schengen), purchase a new passport, and leave Europe.
I guess a silver lining here is the possibility that he'll commit crimes in countries with far harsher penalties than Finland.
I've lived in Finland myself, and currently live in Norway. Lax punishments for the sake of rehabilitation is the standard, and I'm fine with that. But some people, like this one, simply can't be rehabilitated.
>I'd bet good money that this dude has some sort of antisocial personality disorder, and really can't be "cured", so to speak.
I'm happy to take you up on this, but I feel like the stakes will need to be pretty high to justify all the effort involved.
>Something tells me he'll try to sneak out of Finland (which is easy due to Schengen), purchase a new passport, and leave Europe.
Why would I do that? I hold a valid Finnish passport, haven't had any trouble entering or exciting Schengen zone lately.
Harsh punishment doesn't change anything. Criminals are just stupid, mentally ill or in the most sad cases kids.
In my country they actually do put away people for life and yet we still have crime.
3 replies →
Well, we keep hearing that the Nordic Countries are the happiest on Earth. (Which I don't buy even if they do get some things right.)
[dead]
Yeah they shouldn't be surprised if someone solves this outside the legal system
So, would it be better if I feigned remorse for a crime I didn't even commit in the first place?
I've said it before, but these types of malicious hackers should face draconian punishment. Decades behind bars.
I have seen therapists in the past, but never over video calls, and the notes have been kept on paper. Sometimes in person is much better.
This rush to put everything online will destroy everyone's privacy even though privacy is the thing we all need.
This isn't a great solution, but it has helped me forgive myself, maybe it can be a trend in the future: You didn't pick your DNA, you didn't pick your environment. (Determinism in a nutshell)
The bad things that happened to you, and the bad thing you did, should be seen as somewhat outside our control.
I think of my worst google searches (nsfw stuff) and think: "Well, I'm just a chemical reaction."
But then again, I read the book A Billion Wicked Thoughts and found I'm pretty vanilla, we just don't talk about these things out loud.
Maybe my life is tame, but even when I hear from other people, everything seems pretty reasonable.
I know this is an 'after the fact' fix, but its a tool for our toolbox. We could look at people who criticize us as people who are ignorant of Determinism. (But we still need mechanisms to deter bad behavior)
[dead]
[dead]
This is why you should not go to a therapist who uses electronic records. This will happen to you at some point.
Or: this is why you strictly regulate the storage of confidential/private/sensitive information.
There were multiple failures here, but a single step could've prevented the entire hack: industry-standard encryption of the sensitive information.
You could use a fake name/address? That would make it hard to trace back the records to you should they leak.
I think most people are not seeking therapy and even fewer are seeking therapy under hostile conditions.
i guess you should never use banks that use “electronics” either, right? just cash and paper records?
Basically the whole model of Better Help.
Any insurance covered therapy in the US. And assume any private practice that does not explicitly state they do not electronically store session notes.
Apart from therapy, I expect a lot of sensitive and private information to be hacked and released in the next 10 years. Most importantly, all non securely encrypted text based communications.
1 reply →
I thought the model of Better Help was hiring people who are completely unqualified to be therapists and then selling them as therapists.
1 reply →
[dead]
[flagged]
Ethically speaking it seems like you should not be accessing commercial news sites if you're not willing to pay in some way for the work of the people writing the articles.
What do you propose they do?
Source some ethical advertising.
Show context-based ads instead of spying on people would be a good start. That should be the only form of legal advertising. It is for sure the only form of potentially ethical advertising.
I also pay to get past paywalls when a site has content I want to read, rather than try to sneak past using some dodgy mirror.
Like most hacktivists, he is selfish asshole that cares more about self gratification than the consequencesbof their actions.
He's not a hacktivist at all, just a common extortionist.
"Jazz police are looking through my folders. Jazz police are talking to my niece. Jazz police have got their final orders. Jazzer, drop your axe, it's jazz police!"