Private psychotherapy sector not supervised, Valvira explains

The supervisory authority Valvira is investigating a psychotherapy centre's severe patient data breach.

Pedestrians at a zebra crossing, file photo. Image: Henrietta Hassinen / Yle

Earlier this week, the private psychotherapy centre Vastaamo announced that its patient database had been hacked and that the perpetrators were demanding payment of nearly half a million euros for the data's return.

But the blackmailer began to publish the highly sensitive personal data of at least over 200 of Vastaamo's patients on the dark web, including information about their personal lives and mental health issues, along with their names, addresses and social security numbers.

At Vastaamo's request, authorities including the National Supervisory Authority for Welfare and Health (Valvira) have opened an investigation into the matter, including how the hackers carried out the breach.

Valvira's chief medical officer, Kaisa Riala, said that she wonders whether the company's data security is not as well protected as similar databases in the public sector.

"I don't have any idea about what kind of systems they use, but [doctors'] patient journals are always confidential," she said, adding that it is worrying when information about therapist-client discussions is leaked online.

Private firms not monitored

When companies like Vastaamo open for business, an initial report about their operational plans must be filed with Valvira or a Regional State Administrative Agency.

After that however, private psychotherapy firms are not monitored unless there are complaints filed against them, according to Riala, who said she was unsure whether Vastaamo's report was sent to Valvira or a regional agency.

There are hundreds of private psychotherapists and between 10-20 psychotherapy centres like Vastaamo in Finland, Riala said. Vastaamo employs about 300 psychotherapists, who work at 22 offices around the country.

Riala said that she hopes that news of the patient leak doesn't prevent people from seeking mental health services.

"I personally think this was a question of bad luck, and that for some reason it affected Vastaamo now. This does not mean that computer systems within the private sector are generally any riskier than on the public side," she explained.