In recent years, the importance of privacy in mental health care has come under intense scrutiny, particularly following a series of high-profile data breaches that have exposed the sensitive information of thousands of patients. These incidents underscore the urgent need for enforceable privacy rights to protect individuals seeking mental health support.
The BetterHelp Case
This is the news that inspired me to write this blog. BetterHelp, a massive online therapy provider, was caught trading information, including mental health information, to Facebook and Snapchat for advertising purposes. In 2023, the Federal Trade Commission (FTC) charged BetterHelp with disclosing this sensitive health data despite promises to keep such information private. This data included user emails, IP addresses, and answers to personal mental health questions. As a result, BetterHelp agreed to a $7.8 million settlement, affecting approximately 800,000 people who used their services between August 2017 and December 2020. This incident is not only a disgusting breach of user trust, it will likely deter people who were already hesitant to seek therapy for mistrust of the system.
The Finnish Data Breach
The situation in Finland further illustrates the catastrophic consequences of inadequate data security surrounding sensitive health data. On October 21, 2020, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a hacker, known as “ransom_man,” demanded payment in exchange for not publishing highly sensitive therapy session notes. When Vastaamo declined to pay, the hacker shifted to extorting individual patients, threatening to publish their therapy notes unless paid a ransom. The breach resulted in the theft of therapy notes for 30,000 patients, causing devastating consequences. Some individuals lost their jobs, and tragically, several died by suicide following the exposure of their private therapy records. Are you starting to see why this is so important? It is not just a matter of privacy—it is a matter of life and death. The emotional and psychological toll on victims, coupled with the societal implications of lost trust in mental health services, cannot be overstated. Julius Kivimäki, the hacker responsible, was sentenced to more than six years in prison, but the damage caused by his actions is irreparable.
Inadequate Privacy Protections
Currently, privacy protections in the mental health field are inconsistent and often inadequate. While some countries have tons of regulations, others lack any sort of comprehensive frameworks to safeguard sensitive health information. And the regulations we do have, are often enforceable to the tune of a petty fine that might as well be a speeding ticket for these companies printing billions of dollars a year. Mental health data is uniquely sensitive and personal. Unlike other types of health information, it can be used to stigmatize and discriminate against individuals, leading to significant harm. This is why mental health data requires stronger, more enforceable protections than those currently in place. If you’re reading this and think you could use some help, please don’t let these data breaches deter you from seeking it. I’d recommend finding an in person provider that you can ask to not digitize any of their therapy notes, or at least digitize only high level notes without identifiers.
To address these issues, we absolutely need stronger enforceable privacy rights for mental health patients. Governments and regulatory bodies must implement comprehensive legal frameworks that prioritize the security and confidentiality of mental health data. This includes stricter regulations, regular audits, and severe, I repeat, severe penalties for non-compliance.
Recommendations for Mental Health Providers
If you are a provider reading this, please realize you play a vital role in safeguarding your patient data. Providers can adopt best practices for cybersecurity in a couple of ways.
1) Seek outside expert advice. When the toilet breaks in your office, you’re not expected to fix it yourself. You call a plumber. Same goes here. If there’s a security risk, there are people you can call on to mitigate those risks and put better protections in place. Bonus here: you get to call the help before the toilet starts spewing water everywhere.
2) Be sure to ask questions about data and security when partnering with third party apps and tools. This includes schedulers, database / record keeping software, and financial products to send and receive payments.
3) Maintain transparency and open communication with patients to build and keep trust.
4) Here is a security checklist put together by a fantastic CISO in the industry, Bob Lord, to get you started - !(https://democrats.org/wp-content/uploads/2023/03/2023-DNC-Security-Checklist-03-20-23.pdf)