top of page

Workplace Trauma Month: A Therapist's Data Breach and Its Toll on Trust and Integrity

Updated: May 1

Therapist data breach

As some of you know, besides working full time, I spent my last 10 years studying and learning various therapy methods. I did this to heal myself and help my fellow IT people. This is the vision of Synchromind: to provide various healing toolkits, especially for computer oriented jobs in the workplace environment.

Over the past decade, I've had the opportunity to meet many therapists, psychologists, and others in the mental health field. Unfortunately, I've noticed that a significant number of them struggle with ensuring the security of information. Many are unsure of how to keep their notes private and don't fully grasp the implications of GDPR (General Data Protection Regulation) and how it applies to their practice. Despite my efforts to explain, I've found that many are also uninterested in learning more. It's concerning that while they expect their patients to step out of their comfort zones, they themselves don't always practice what they preach. I realize this may sound critical, but my assessment is based on observable facts.

Today it is all over the news the case of the Finnish company Vastaamo who got hacked and therapy private information of 33,000 people got stolen by a hacker who first tried to blackmail the company and then the actual patients. Patient information, including names, addresses, diagnoses, and intimate details, were exposed. What was meant to be confidential is now vulnerable to exploitation. This is a patient's worst nightmare.

Vastaamo did not pay the fine imposed by the Finnish Data Protection Authority for the data breach. The authority imposed a fine of €608,000 (a bit over 18 euro per person who's data was stolen) for violating the GDPR. The company was declared bankrupt in February 202125. As an administrative fine is the lowest priority claim in a bankruptcy, the fine could not be collected and did not reduce the funds available for other claims such as potential compensation for damages to victims.

Trauma isn't just physical, it can also be psychological. For the therapist's patients, the breach is a violation of their privacy and trust. Some feel exposed, as if their deepest secrets have been laid bare. Others experience anxiety and fear, worrying about the consequences of their personal struggles being made public.

I am writing this post to raise awareness. When going to a therapist check his/her/their organisation compliance. Do they take notes on paper, and if yes where do the store it and for how long. Exercise your rights for consent, deletion, etc. If they store the data digitally ask more about the solution, ask them to confirm they are GDPR compliant.

In the aftermath of the data breach, the therapists confront the harsh reality of their actions. They cannot undo the breach, but they can take responsibility for it. With humility and courage, they should face their patients, their traumas, offering sincere apologies and assurances of action.

So please, all businesses and therapists in this domain, vow to invest in robust security measures and undergo training to prevent such breaches in the future. Delete, delete, delete and delete even more what is no longer needed. Learn from other people's mistakes and create a really safe space.

As we conclude Workplace Trauma Month, we want to express our gratitude for your engagement and support. We appreciate your comments and insights, which have enriched our discussions. Looking ahead, we're excited about the upcoming blog posts on this theme in April 2025. We hope you'll join us again as we continue our journey of exploration and learning together. Thank you for being a part of our community!

9 views0 comments

Recent Posts

See All


bottom of page