Tiina Parikka was half-naked when she read the email.It was a Saturday in late October 2020, and Parikka had spent the morning sorting out plans for distance learning after a Covid outbreak at the school where she was headteacher.She had taken a sauna at her flat in Vantaa, just outside Finland’s capital, Helsinki, and when she came into her bedroom to get dressed, she idly checked her phone.There was a message that began with Parikka’s name and her social security number – the unique code used to identify Finnish people when they access healthcare, education and banking.“I knew then that this is not a game,” she says.

The email was in Finnish.It was jarringly polite.“We are contacting you because you have used Vastaamo’s therapy and/or psychiatric services,” it read.“Unfortunately, we have to ask you to pay to keep your personal information safe.” The sender demanded €200 in bitcoin within 24 hours, otherwise the price would go up to €500 within 48 hours.

“If we still do not receive our money after this, your information will be published for everyone to see, including your name, address, phone number, social security number and detailed records containing transcripts of your conversations with Vastaamo’s therapists or psychiatrists.”Parikka swallows hard as she relives this memory.“My heart was pounding.It was really difficult to breathe.I remember lying down on the bed and telling my spouse, ‘I think I’m going to have a heart attack.

’”Someone had hacked into Vastaamo, the company through which Parikka had accessed psychotherapy.They’d got hold of therapy notes containing her most private, intimate feelings and darkest thoughts – and they were holding them to ransom.Parikka’s mind raced as she tried to recall everything she’d confided during three years of weekly therapy sessions.How would her family react if they knew what she’d been saying? What would her students say? The sense of exposure and violation was unfathomable: “It felt like a public rape.”Therapy had been Parikka’s lifeline.

Now 62, she’d had three children by the time she was 25, including twins who had been born extremely prematurely in the 1980s, weighing only a few hundred grams each.One grew up with cerebral palsy; the other is blind.Parikka spent years juggling medical emergencies, surgeries and hospital stays with a demanding job and a crumbling marriage.“During those years, nobody ever asked me, the mother, ‘How are you?’”She divorced in 2014 and met her current partner a year later.By then, her children were adults with independent lives.

After decades of putting everyone’s else’s needs before her own, she should have been finally able to exhale,Instead, she had a breakdown,“I had full-scale anxiety running through my body all the time,I couldn’t sleep,I had panic attacks.

I couldn’t eat.” Driving at high speed on the highway one day, dark thoughts descended.“I was thinking, I wouldn’t mind if this car crashed.”In search of urgent help, she went to Google, which led her to Vastaamo, Finland’s one-stop digital shop for people in search of psychotherapy.No doctor referral was necessary.

She managed to book a session for the very next day.“It was that easy.”Being able to confide in a total stranger felt liberating.She told her therapist things she had never told another soul.“Trauma in relationships.

The disappointment and tragedy of having disabled children, and the influence it had on my life,” she says.“Silly things, childish things.It’s very human to feel hate, anger, rage.”After Parikka read the email that left her struggling to breathe, she had no idea where to turn for help.She rang the emergency services, but the police told her to get off the line; they needed to keep it free for real emergencies.

In her bathrobe, her phone still in her hand, she felt utterly alone.But Parikka was far from alone.Across Finland, 33,000 people who had used Vastaamo were discovering that a hacker had got hold of their therapy notes and was holding them to ransom.These were people who, by definition, were likely to be vulnerable, in need of help.Each was experiencing a very personal, individual terror.

In a country of only 5.6 million people, everyone knows someone who was hacked.Some victims’ notes had already been cherrypicked for the world to see.Three days before the extortion emails were sent, someone using the handle ransom_man had left posts on the dark web, on r/Suomi, the Finnish-language subreddit, and on Ylilauta, Finland’s equivalent to 4chan.This time, the post was in English.

“Hello Finnish Colleagues,” it began.“We have hacked the psychotherapy clinic vastaamo.fi and taken tens of thousands of patient records including extremely sensitive session notes and social security numbers.We requested a small payment of 40 bitcoins (nothing for a company with yearly revenues close to 20 million euros) but the CEO has stopped responding to our emails.We are now starting to gradually release their patient records, 100 entries every day.

”There was a link to the dark web, where 100 records were already on display.Directly below it, ransom_man had signed off the post with a single word: “Enjoy!”The 100 records included those of politicians, police officers and prominent public figures.Their names appeared alongside therapy notes that contained details of adultery, suicide attempts, paedophilia and sexual violence.Some of the records belonged to children.And whoever was behind the hack was true to their word: the next day, 100 more patient records were uploaded.

Some victims went searching on the dark web in a desperate attempt to see if their records were out there.Some paid the ransom, scrabbling to get hold of bitcoin while the clock ticked down.Lawyers representing the victims have told me they know of at least two cases where people took their own lives after they discovered their therapy notes had been hacked.But for all of them, it was already too late.At 2am on 23 October 2020 – the day before the emails began to arrive in tens of thousands of inboxes – ransom_man had uploaded a much larger file.

It contained every record of every single patient on Vastaamo’s database.Everyone’s therapy notes had already been published, for free, for everyone in the world to see.Who was behind the biggest crime Finland had ever known? And might they have been motivated by something other than money? I have spent 18 months trying to answer these questions, following threads across Europe and the US.They culminated in a visit to a prison, and one of the most chilling conversations I have ever had.Finland has been ranked the happiest country on Earth by the UN for the last eight years in a row.

A world leader in childcare and education, Finland is also famously hi-tech: it’s the most digitalised country in Europe, renowned for its communications sector (as the home of Nokia) and leading the way when it comes to cybersecurity and AI innovation.But Finland is also a place of extremes.It has more heavy metal bands per capita than any other nation.In the far north, for the few days around the winter solstice, the sun does not rise.Vastaamo had long been considered an example of how Finland was getting it right when it came to digital tech.

Founded in 2008 by entrepreneur Ville Tapio and his mother, Nina, a psychotherapist, the aim was to open up therapy to the masses, removing the stigma of asking for help,The platform made it easy for people to see who was free, where, and what therapeutic approach they specialised in,The logo had the colour palette of a first-aid kit, with white lettering in a green speech bubble,Vastaamo means “a place for answers”,It was an attractive platform for therapists, too: they didn’t have to worry about marketing or billing – Vastaamo would take care of all of that.

The company even provided a behind-the-scenes digital interface where therapists could make and store their notes.This formula, combined with the increasing demand for therapy services, meant Vastaamo grew fast.It opened its own network of around 20 clinics across Finland, employing more than 220 psychotherapists by 2018, leading some in Finland to refer to it as “the McDonald’s of therapy”.In the years before Zoom and Teams were part of our daily lives, the remote therapy also offered by Vastaamo was groundbreaking.In 2019, a private equity firm bought a majority stake in the company, earning the Tapio family a payout of more than €5m.

Meri-Tuuli Auer, 30, describes using Vastaamo as “like Uber for therapy – convenient, accessible, relatively cheap”.She picked her therapist because he offered cognitive psychotherapy – and she liked his photo.“He looked nice.He looked approachable.”Auer’s home, on the outskirts of Helsinki, is a riot of pink.

There are Barbie dolls, Barbie books and Barbie-themed handbags on her shelves, as well as a glittery open-top Barbie sports car.A pole-dancing pole takes pride of place in the centre of her living room.“I’m a mixed personality,” she tells me over tea in Moomin mugs.“I love being around people, but I get that inkling, that doubt: maybe they all think I’m full of shit and stupid and ugly and I have no idea what I’m doing.” Auer has struggled with depression for much of her life.

When she was 18, she was in a secretive, difficult relationship with a man 29 years her senior, which made her self-esteem plummet further.She was drinking heavily.“If I hadn’t gone to therapy, I don’t know what would have become of me.Maybe there is another universe where I didn’t make it to 30.”Most of the cost of Auer’s treatment was covered by the Finnish healthcare system; she paid only about €25 for each weekly session.

She was making great strides.“After going to therapy in 2018 and 2019, I had gained a basic sense of security.That was lost in 2020.”Vastaamo’s CEO knew the company’s patient registry was being held to ransom weeks before his customers found out.On 28 September 2020, Ville Tapio received an email demanding the bitcoin equivalent of €450,000 to keep it safe.

Sample patient records attached to the email proved the extortionist wasn’t bluffing.Tapio called in a cybersecurity firm to investigate.Medical information is an obvious target for would-­be extortionists, says Antti Kurittu, the security specialist Tapio hired.But this was something else: “Whatever I tell a therapist is, by its very nature, a lot more private than what my blood pressure is,” he says, drily.Kurittu used to be a detective, investigating cybercrimes for the Finnish police; he says he insisted they be told about the ransom attempt so they could begin a parallel investigation.

Meanwhile, he began inspecting Vastaamo’s server, looking for clues as to who might be behind the hack – and one of the first things he noticed was how lax security had been.“It was definitely unfit for purpose for storing this kind of information,” he says.He tells me that the patient records database was accessible via the internet; there was no firewall and, perhaps most egregiously, it was secured with a blank password, so anyone could just press enter and open it.Kurittu determined that whoever had hacked Vastaamo had probably just been scanning the internet in search of any badly secured databases that could be monetised.“They tried a bunch of bank vaults to see which ones were open, and just happened to stumble on this one