The impact of mental health data breaches

The healthcare industry has become a prime target for cybercriminals, with therapists and mental health practitioners facing increased threats. The sensitive nature of patient data and the vulnerabilities of small-to-medium-sized healthcare organizations have made mental health practices attractive to hackers.

The proliferation of digital health technologies

The COVID-19 pandemic has accelerated the adoption of digital health technologies, including smartphones, tablets, telehealth platforms, and electronic health records. While these advancements have improved patient engagement and care, they have also expanded the attack surface for cybercriminals.

According to Front Digit Health, "New technologies mean new vulnerabilities and more breach opportunities…especially as therapists navigate these new threat vectors while counseling patients and trying to keep them protected."

The sensitive nature of mental health data makes it a valuable commodity on the dark web, where it can sell for $1,000 or more per record. Hackers may try to steal this information for various purposes, including identity theft, blackmail, or resale to the highest bidder.

The vulnerability of small-to-medium-sized practices

Therapists and mental health organizations, often classified as small-to-medium-sized businesses (SMBs), frequently lack the resources and expertise to implement cybersecurity measures. This makes them prime targets for cybercriminals, as they are less likely to have the necessary IT budgets, staff, and cyber preparedness to defend against attacks.

According to a 2022 Critical Insight report, SMB cyberattacks rose drastically in the first half of 2022, from 23% in 2021 to 31%. According to the report, “Most SMBs assume that because they are so small, they won't be targeted. But the exact opposite is true.”

High-profile incidents

Cerebral

The U.S. Federal Trade Commission (FTC) has levied significant penalties against mental telehealth company Cerebral for violations of consumer privacy and deceptive practices. The FTC's enforcement action, resulting in over $7 million in fines, stems from Cerebral's unlawful disclosure of sensitive personal health information to third-party advertisers and its failure to honor transparent cancellation policies. Cerebral was accused of misleading consumers by promising secure and discreet services while sharing data with platforms like LinkedIn, Snapchat, and TikTok.

Cerebral also allegedly mishandled patient records, allowing unauthorized access by former employees and disclosing sensitive health details through insecure means like promotional postcards. As part of the settlement pending court approval, Cerebral is mandated to cease unauthorized data-sharing practices, implement a privacy and security program, notify affected users, and establish mechanisms for data deletion upon request. 

Los Angeles Department of Mental Health

The Los Angeles Department of Mental Health (DMH) has faced a serious cybersecurity incident involving a multi-factor authentication attack, commonly referred to as push notification spam. Initially affecting the City of Gardena Police Department (GPD), the attack allowed threat actors to compromise an employee’s Microsoft Office 365 account, subsequently gaining access to email exchanges with DMH personnel. The breach exposed sensitive personal information such as names, dates of birth, Social Security numbers, addresses, telephone numbers, and medical record numbers. Despite the severity of the data accessed, DMH said there is no evidence of exploitation of this information.

Upon discovering the breach, DMH disabled affected accounts and reset Microsoft Office 365 and MFA credentials. The incident was investigated by forensic specialists and law enforcement, concluding on March 19th, 2024. DMH has advised affected individuals to monitor financial and account statements for any suspicious activity and promptly report concerns to relevant institutions. 

Vastaamo breach

A 26-year-old man has been sentenced to six years and three months in prison for orchestrating one of Finland's most infamous cybercrimes: the hacking of tens of thousands of patient records from a private psychotherapy center. Aleksanteri Kivimäki's actions, which included attempting to extort money from patients under threat of exposing their sensitive information, sparked widespread outrage and led to a record number of criminal complaints. The breach, discovered in October 2020, affected approximately 33,000 individuals and contributed to several suicides among those whose private details were compromised. 

Kivimäki, known for his history of hacking since adolescence, was apprehended by French authorities in February 2023, living under a false identity near Paris. He was found guilty of aggravated data breach, blackmail attempts, and dissemination of private information. 

Proactive measures to protect patient data

To combat rising cyberattacks targeting mental health providers, a detailed approach is required, including measures like:

• Antivirus software
• Encryption
• Endpoint security
• Multi-factor authentication
• Employee training on cybersecurity best practices

Additionally, healthcare organizations must ensure HIPAA compliance, regularly review and update their security protocols, and maintain a backup and disaster recovery plan.

Go deeper: 

• Basics of HIPAA compliance for therapists 
• Cybersecurity policies for therapists 

FAQs

What is the primary reason why hackers target therapists and mental health providers?

Therapists and mental health providers are targeted because of their data’s sensitive and valuable nature.

How have digital health technologies contributed to the increased vulnerability of mental health providers?

The rapid adoption of digital health technologies, such as telehealth platforms, electronic health records, and mobile healthcare apps, has expanded the attack surface for cybercriminals targeting mental health providers. New technologies introduce additional vulnerabilities and access points that can be exploited, making it more challenging for healthcare organizations to maintain cybersecurity measures.

What are the potential consequences for mental health providers who fail to comply with HIPAA regulations?

Failure to comply with HIPAA can result in fines, loss of reputation, lawsuits, revoked licenses, and even criminal charges. HIPAA mandates cybersecurity measures to protect patient data. Non-compliance can result in legal and financial repercussions for healthcare organizations.

How can mental health providers improve their cybersecurity posture and protect patient data?

Mental health providers should implement a multi-layered approach that includes:

• Antivirus software and encryption to secure their systems and data.
• Endpoint security and multi-factor authentication to limit access to sensitive information.
• Employee training on cybersecurity best practices to mitigate the risk of human error.
• Regularly reviewing and updating their security protocols to keep pace with evolving threats.
• Maintaining a backup and disaster recovery plan to ensure the availability of patient data in the event of a breach.

How can regulatory bodies help address the issue of cybersecurity in the mental health sector?

Regulatory bodies, such as the FTC, have taken a more active role in addressing data privacy and security issues in the healthcare sector, including the mental health industry. Through enforcement actions and the implementation of stricter regulations, these agencies can compel healthcare organizations to prioritize patient data protection and face consequences for non-compliance. 

Learn more: HIPAA Compliant Email for Mental Health Professionals