Hacks of therapy and mental health patient information is prevalent due to the value of the data on the dark web.
1. Hack of psychotherapy records in Finland affects thousands
In late 2020, tens of thousands of Finnish patients’ psychotherapy records were leaked online. The hackers accessed records belonging to the private company Vastaamo, which runs 25 therapy and mental health centers across the country. Thousands of patients filed police complaints after receiving emails demanding €200 (£181) in bitcoin to keep their records private. Many of the patients affected were children.
Vastaamo’s internal investigation found that the actual hack happened two years prior. It was also reported that a 10-gigabyte file containing over 2,000 patients’ private notes with therapists had already appeared on the “dark web.”
The head of the state digital services agency DVV said the cyberattack could have been avoided if Vastaamo had used better encryption. “Management needs to wake up,” he told a public broadcaster.
2. Dutch technology company hacked, affecting thousands of healthcare organizations
In October 2022, Netherlands-based technology company Nedap was exposed to a hacking incident of its Carenzorgt.ni (Caren) portal. The portal was used by thousands of healthcare organizations throughout the country.
Of the victims, 184 of them were clients of mental health clinics Reiner van Arkel and Ypse in Den Bosch. Soon after the hack, police arrested a 19-year-old man they believed was connected to the crime. They are not sure whether the teen has sold any of the stolen data.
Even though the investigation is still underway, it seems like the security failure was not the therapy clinics’ fault, but Nedap’s. The company conducts annual external audits to fix vulnerabilities, but some undetected flaws remained.
3. Thousands of LA student’s mental health records posted to the dark web
The Los Angeles school district is under fire for not notifying parents and students after a ransomware attack in 2022. The attack resulted in 500 gigabytes of stolen data being published to Vice Society, a site on the dark web run by a Russian-speaking ransomware gang. The data includes tens of thousands of individual files including student psychological evaluations, medical histories, social security cards and financial records.
Cybersecurity experts say that the “lack of transparency by the district highlights a gap in existing federal privacy laws. Under existing federal laws, school districts are not required to notify parents when students’ personal information is exposed.”
“It’s deeply disturbing that an organization that you’ve entrusted with such sensitive information is either significantly delaying — or even hiding — the fact that individuals had very sensitive information exposed,” said Doug Levin, National Director of the K12 Security Information eXchange. “For a school system to wait six months, a year or longer before notifying someone that their information is out on the dark web and being potentially abused is a year that those individuals can’t take steps to protect themselves.”
In early October 2022, the school district’s Superintendent said that “people would be contacted if their information had been exposed.” and that “no news is good news.”
Related: What is ransomware and how to protect against it
4. Behavioral Health Group notifies 197,507 patients in data breach
In 2022, Behavioral Health Group (BHG) started to notify 197,507 patients of a cyberattack that had taken place eight months prior. The attack forced BHG and its 80 clinics to a week of IT outages that resulted in delays in patient medication.
The stolen data varied from social security numbers and passports to health insurance information and medical diagnoses. Patient’s who’s SSNs were compromised received free credit monitoring.
Since the attack, BHG has upgraded its IT network and made security improvements including a third-party security monitoring solution and training employees on threat detection and security.
5. Philadelphia-based mental health provider notifies patients six months after security incident was discovered
Philadelphia-based mental health services provider, Horizon House, began notifying 35,000 individuals that their health records may have been stolen by hackers in a data security incident. The type of information stolen included addresses, SSNs, medical treatment information and health insurance information.
The fact that Horizon House waited six months to notify patients is worrisome. “One of my immediate concerns about this higher-risk breach is the trauma that could be caused for the 35,000 victims,” says Jim Van Dyke, senior vice president at security firm Sontiq, which analyzes and rates the severity of data breaches based on the type of information compromised. Sontiq rates the Horizon House breach “an unusually very high 7” on its 1-10 breach risk severity scoring system, Van Dyke notes.
Under HIPAA, healthcare organizations must notify patients of a breach of unprotected PHI within 60 days of discovery. And while delayed notifications seem to be a problem with many healthcare entities, federal regulators have been known to give penalties to a few organizations that break these rules.
How to stop cybersecurity attacks
While cybersecurity attacks aren’t 100% preventable, there are many things an organization can do to keep attacks at bay.
- Implement cybersecurity program
- Train employees on how to avoid phishing attacks
- Limit who has access to patient health records
- Backup plan in case of attack
- Disaster recovery plan
- Backing up data
- HIPAA compliant email solutions
When measuring your organization’s security standards, remember that Paubox provides an easy compliant email solution. Paubox Email Suite provides advanced email threat protection to keep your organization secure and patient data safe. Paubox offers robust inbound email protection against threats like malware, spam, viruses, and phishing scams.
Keep your patient data safe from ransomware, phishing attacks, and other dangers with advanced email threat protection.
