With all the talk about GDPR and the UK Data Protection Act in the past 5 or so years, most people know that there are restrictions when it comes to sharing information relating to individuals. The regulations require that confidential information remains private to the point that it should not be possible for anyone but the intended user of the information to be able to identify the individual concerned.
Anyone who has touched upon health care in anyway, either physical or mental health care, will also understand the concept of patient confidentiality. In practice this will mean that they refrain from discussing cases relating to individuals with anyone that is not authorised to be involved in the case.
As individuals, one of our biggest fears would likely be our private patient notes being leaked by doctors, or therapists.
As a mental health care professional, you are entrusted with some of the most intimate information that a person can have. Some of that information would be moderately embarrassing if exposed and some would be life-changing, and some potentially life-ending for some. Perhaps that sounds alarmist, but given the industry that you work in, it is not difficult to see how triggering a release of private information could be to those affected by certain disorders of the mind.
Given the importance of this subject my question to you would be:
Do you know all the places both physically and electronically where private information related to your potential clients, clients past and present is stored, transported communicated or is visible?
Most would acknowledge that bad things happen from time to time. Yet even with an understanding of this, most mental health professionals would likely take limited action based upon underestimating the probability of something going wrong or the impact when it does. “It’ll never happen to me!” they might say.
Unless you have proper controls in place across your entire ‘estate’, there are significant risks to therapist, business and client in the event of a small data or information leakage.
It only happens to other people? Wrong.
In my time working with therapists, I have personally seen a UK NHS GP practice spamming its clients after being hacked – they were oblivious to the impact of the breach and their responsibilities even after the author of this article contacted them on behalf of a client. I have seen clients’ visits with their therapist become visible to people close to them, leading to outside interference. And I’ve seen sophisticated attempts to get therapists to unknowingly aid attempts to abuse and embarrass vulnerable people. This is no doubt just the tip of an iceberg.
Leaking Psychotherapy Clients Personal Information
As was reported widely, in October 2020, the Finnish National Bureau of Investigation said that the personal information of tens of thousands of clients of Psychotherapy business Vastaamo has likely been leaked into the public domain.
Vastaamo provides psychiatric and psychological treatments to those affected by disorders such as depression and anxiety. If you are a psychiatrist, psychologist, or other form of mental health therapist, then that description of Vastaamo’s business is going to sound awfully familiar to you.
What risks does a mental health business face?
Whether you are a small therapy business or a large one such as Vastaamo, the risk and impact of client data leakage are similar. The risks to business will include legal, financial, regulatory, and damage to its brand. The health and future of the practice will likely be heavily impacted, with many therapists put out of business overnight. If business owners are found negligent or to have not complied with legal requirements, large fines or custodial sentences could be expected.
How has Vastaamo and its therapy clients been affected?
In the case of Vastaamo they were requested by blackmailers to pay approximately EUR400,000 in bitcoin to prevent information from being published. A threat was made that information would be released in batches of 100 records per day.
Over two days, leaks including the personal information and therapy notes of both adults and children started to appear on the dark web. At the time of writing, the leaks have at least temporarily stopped. It is not clear yet, whether this is the result of Vastaamo meeting the extortionist’s ransom request. It is also not yet clear whether the individuals affected are or will be subjected to further demands down the line.
As the Finnish Interior Minister Maria Ohisalo talks of providing emergency crisis support to the victims, one must consider how many other practices are vulnerable to hacking and the release of confidential materials.
My practice is too small, this won’t happen to me.
If you believe that this can’t happen to you. I would counsel you to think again and ask yourself how you know that and what you are doing to protect and mitigate the risks you face daily.
Put simply, if your therapy notes, or any almost any identifiable information about your client’s leaks, then you might lose your livelihood, your business, your reputation, and even your freedom.
Identifying and reducing risk within a mental health practice.
I could ask you if you have done a risk assessment. Likely you have, but one has to understand that not all risk assessments are created equal, and it’s unlikely that the risk assessment you have followed are comprehensive enough to protect you and your clients.
You can ask yourself whether those risk assessments reliably included every communications channel, email program, spell checker, filing cabinet, drawer, payments system etc that you use.
Whilst you may be following some form of standard risk assessment template, you need to identify what it is not covering. Key to its efficacy will be both the motivation behind the risk assessment and your ability to sufficiently respond to the questions posed.
How can I reduce the risks to my therapy clients and my business?
We’ve talked earlier about the potential impact to your business and clients.
Acknowledging that risks exist is a great place to start, but what do you need to do and what do you prioritize? Unless you are or have been a professional risk manager, it will be difficult to know what to assess, or how to interpret the effectiveness of the controls you have in place.
Running your practice has probably become second nature for you. So much so that you may not even realise the level of information you have access to, nor how you are using it.
Ask yourself today, whether you fully understand, to the point that you can articulate, or write down what processes you have, what the risks affecting those processes are, and what controls you have in place over those processes. Likely, there’ll be quite a few gaps in what you write down because this isn’t something we are used to doing, despite its importance.
What can you do to protect yourself?
Now that you know that assessing and mitigating risk is vitally important for all businesses, I would hope that you are motivated to take further action to understand fully, quantify, and mitigate the level of risk your business runs on a daily basis.
Informing Minds is a specialist business development consultancy specialising in Mental Health. We can perform reviews and audits of your processes, risks and controls, covering both manual and technology based activities.
As a career risk professional Brian Tancock worked in and advised several multinational and global businesses. Whilst Brian’s focus these days at Informing Minds Ltd is developing and supporting mental health focused businesses, Brian is also a consultant to i-Risk Group Ltd, a leading independent enterprise risk management company.
Find out more about mitigating the risks to your mental health practise and your clients by contacting Brian at [email protected]