2.1.3 Data Theft and Data Trafficking
As the amount and value of personal data stored online proliferates, data theft and trafficking will continue to occur. In 2017 in the US, for example, a mental health service provider in Texas notified 28,434 people whose data were allegedly stolen by a former employee.230 However, by far the most extreme case concerning mental health was reported in Finland in October 2020
‘Vastaamo hacking could turn into largest criminal case in Finnish history’
On the 27th of October 2020, the Associated Foreign Press reported that:231
The confidential treatment records of tens of thousands of psychotherapy patients in Finland have been hacked and some leaked online, in what the interior minister described as “a shocking act”. Distressed patients flooded victim support services over the weekend as Finnish police revealed that hackers had accessed records belonging to the private company Vastaamo, which runs 25 therapy centres across Finland. Thousands have reportedly filed police complaints over the breach. Many patients reported receiving emails with a demand for €200 (£181) in bitcoin to prevent the contents of their discussions with therapists being made public.
Around 30,000 people are believed to have received the ransom demand at the time of writing; some 25,000 reported it to the police. Some of the records belonged to children, politicians, and other public figures. They contained details about adulterous relationships, sexuality hidden from family, suicide attempts, and paedophilic thoughts.232
Vastaamo, the private company that owned the leaked patient database, has since claimed bankruptcy.233 At the time of writing, criminal proceedings are underway and victims would be able to seek compensation from the perpetrator(s) of the extortion if they are caught. In addition, Finland’s Data Protection Ombudsman is reportedly looking into whether Vastaamo breached European Union data protection rules, which would mean Vastaamo would be responsible for compensating injured parties—though according to Leena-Kaisa Åberg, Executive Director of Victim Support Finland, any returns from the bankrupt company would be modest.234
Such incidents raise questions around the security required to protect people’s privacy relating to mental health, distress and disability, to digitally store and process sensitive personal data (of which more is discussed in the Safety and Security section below). According to William Ralston, the example from Finland is particularly troubling because Finland is regarded as having among the most advanced electronic health policy and governance frameworks in the world.235 Questions also arise about the security methods in place for technologies that are operating outside the formal healthcare context, such as the vast selection of mental health apps operated by private companies collecting personal data through people’s smartphones. Indeed, the private company in Finland that was hacked, Vastaamo, was the largest private mental health operator in the country, and investigations is underway at the time of writing to determining where responsibility for the data breach lies.236
- 230 HIPAA, ‘PHI of 28,000 Mental Health Patients Allegedly Stolen by Healthcare Employee’ (5 December 2017) HIPAA Journal https://www.hipaajournal.com/phi-28000-mental-health-patients-stolen-by-healthcare-employee/
- 231 AFP, ‘Shocking’ hack of psychotherapy records in Finland affects thousands, The Guardian (27 Oct 2020).
- 232 William Ralston, ‘They Told Their Therapists Everything. Hackers Leaked It All’ Wired https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/.
- 233 ‘Compensation Uncertain for Vastaamo Victims’, Yle Uutiset (online, 20 June 2021) https://yle.fi/uutiset/osasto/news/compensation_uncertain_for_vastaamo_victims/11991155.
- 234 Ibid.
- 235 Ralston (n 235).
- 236 Ibid