📆 October 10, 2023 | ⏱️ 2 minute read | 🏷️ computing

Re: They Told Their Therapists Everything. Hackers Leaked It All

Vastaamo ran the largest network of private mental health providers in Finland when it suffered a catastrophic data breach. A hacker group (or individual) got into the database, downloaded private notes from patient therapy sessions, and threatened to release them all unless paid a very large sum of money by the provider, later extorting then-current and former patients as well.

If you want to learn more about it, you can click the link above. I’m not writing about it for the details of this specific case though. I want to use it as evidence for a broader point, which is that data as sensitive as therapy notes don’t ever belong on networked computers. Putting them on networked computers is the most moronic thing I’ve ever heard. Unfortunately it continues to be standard practice in certain places.

Hospitals and health facilities get hacked constantly. They’re so insecure that once I even accidentally socially engineered an employee to send me my own health data (they did not verify who I was). It would be more secure to use air gapped laptops with hardware-token-based full disk encryption, storing the laptops in a locked safe. At least then one would have to physically break into the facility, which would be much more difficult and risky than remotely hacking in.

The relationship between a therapist and a patient is among the most intimate relationships there are. The only two people who need detailed records of said interaction are the therapist and the patient. That’s it. And the therapist only strictly needs those records until the patient stops being a patient. There is absolutely no need for patient notes to be available to anyone else, particularly not in a networked database.

I’m not writing this to discourage anyone from seeking mental health treatment or avoid telling things to their therapist. I just wanted to highlight how unsafe the practice of putting therapy notes in networked databases is and suggest that providers stop doing it.