For a cyber criminal, healthcare records are one-stop shopping. Sell a Social Security number? Of course. Credit card numbers: They're good on the black market, too. And for those criminals who love scams, there are phone numbers, email addresses, birthdays.

And of course there is always blackmail, which is what happened to psychotherapy patients in Finland whose records were stolen in 2018 and 2019. These patients had attended a private psychotherapy clinic in Helsinki. Forbes reported that a bit less than 1% of the Finnish population received threats of exposure in October of this year unless they paid into a crypto currency account.

When the clinic refused to bow to ransom demands, the hackers blackmailed clients. At least 300 clients who did not pay up saw their private information and even session notes leaked online, according to ABC news.

Ransom demands also can be made on an entire healthcare system; the US Treasury Department said in an October 2020 report that small businesses and hospitals are vulnerable to such attacks because they often do not have the money to invest in advanced cyber protection.

Generally speaking, cyber criminals hacked into 27 healthcare service providers or organizations in 2019. To provide perspective and a human dimension to those numbers, 15 million records were reported stolen in 2018. Last year, that figure had grown to 41.4 million.

Could this happen in here

Despite legal safeguards, starting with HIPAA (Health Insurance Portability and Accountability Act), electronic data is vulnerable to hackers, say experts. And psychotherapy records are especially sensitive – and vulnerable – because clients assume all sessions are confidential and secure.

Medical Daily reached out to educational psychologist Roseann Capanna-Hodge, EdD, founder of the Global Institute of Children's Mental Health in Ridgefield, Conn. She talked with us via email about what therapists can do to protect their clients’ privacy.

MD: What protections are in place to safeguard mental health patient records?

Dr. Campanna-Hodge: All therapists need to consider HIPAA concerns, and all of their technology needs to be HIPAA compliant. Therapists are ultimately responsible under the HIPAA Security Rule and Privacy Rule for ensuring the confidentiality, integrity and availability of electronic protected health information (ePHI) that their technology stores, transmits and collects.

As therapists move into teletherapy, some of the more difficult information for therapists to protect might be things like IP addresses (the unique identifier of a patient’s internet connection). In this case, when choosing a teletherapy technology, therapists want to make sure that the vendor has controls to protect this information.

The HIPAA Privacy Rule addresses the need to balance sharing PHI [protected health information] and ePHI in order to provide the best possible care with the need to protect patient privacy. The most important part of the Privacy Rule is giving patients control over how you use their information, with whom you share it, and when you share it.

MD: Is paper still used?

Dr. C-H: There are some clinicians that still use paper files, but even then, HIPAA privacy rules still apply. File cabinets must be locked and access must be restricted.

MD: Is this data breach [in Finland] likely to cause mental health patients to be more cautious about seeing a therapist and how much they might disclose during sessions?

Dr. C-H: In this world of frequent data breaches, most individuals come to understand that it is part of the online world. With that being said, patients should ask their providers how their data is being protected, so they can feel better about their privacy. Fear of private information leaking is often why many choose to go out of their insurance network for services, as their private data isn't accessible to their insurance company. Many fear that their mental health information will be used against them in the future when they need additional or new insurance.

Protecting digital records

“The industry has gotten a lot better at understanding risks involved in storing information since EHRs [electronic health records] became mandatory,” said Adam Jackson founder and CEO of 360 Privacy, www.360Privacy.com, a digital privacy firm in Franklin, Tenn.

“The system was not ready for the amount of video health sessions that are required since the Covid pandemic started,” Mr. Jackson told Medical Daily . “There are two main vulnerabilities. The first is a bad actor intercepting the video feed, and the other is the transcribed notes of the mental health professional being compromised.”

To mitigate those risks, Mr. Jackson advised health professionals to:

1. Use reputable IT vendors with a long track record in their industry.
2. Use a commercial virtual private network (VPN).
3. Have a third party conduct audits of their system regularly.
4. Have an internal compliance team and conduct regular training.

Planning ahead

Professional associations and licensing bodies take the same security precautions with electronic mental health records as they do any patient record. The American Hospital Association (AHA) acknowledges that, while keeping all of a patient’s electronic records– doctor’s notes, lab results and test outcomes – in one electronic bundle helps the patient get the best possible care, it also makes the EHR, or electronic health record, appealing to cyber criminals.

The security of records, whether electronic or paper, cannot be 100% guaranteed. Unauthorized access to patient records has been rising ever since electronic health records were introduced. Paper records, too, can be accessed if the criminal is determined. Despite the best efforts of all involved, data breaches do happen, and as systems improve, cyber criminals are already finding new ways in. The AHA recommends that healthcare facilities have security systems that are flexible and can be adjusted to block unauthorized access to patient records when new attacks are identified.

Yvonne Stolworthy MSN, RN graduated from nursing school in 1984 and spent years in critical care. She has been an educator in a variety of settings, including clinical trials.