Cybersecurity lessons from the Vastaamo psychotherapy data breach for psychiatrists and other mental healthcare providers

Jeffrey C.L. Looi; Stephen Allison; Tarun Bastiampillai; Paul A. Maguire; Steve Kisely; Sharon Reutens; Richard C.H. Looi

doi:10.1177/10398562241291340

Cybersecurity lessons from the Vastaamo psychotherapy data breach for psychiatrists and other mental healthcare providers

Jeffrey C.L. Looi^*, Stephen Allison, Tarun Bastiampillai, Paul A. Maguire, Steve Kisely, Sharon Reutens, Richard C.H. Looi

^*Corresponding author for this work

School of Medicine and Psychology

Research output: Contribution to journal › Article › peer-review

1 Citation (Scopus)

Abstract

Objective: The Vastaamo psychotherapy data breach in Finland is perhaps the largest cybersecurity incident in mental healthcare to date, resulting in significant patient harm. There are specific lessons for mental healthcare providers from an analysis of the incident. Method: Case study of this specific electronic health record data breach, based on detailed media reporting. Results: The issues raised include: the importance of governance of the cybersecurity of sensitive personal patient data, such as compliance with legislative requirements on privacy and data security; specific security measures such as de-identification of data, data protection via passwords, multi-factor authentication, firewalls and encryption; and timely and effective communication, and support of those who have been affected. Conclusions: The implications for mental healthcare providers, including psychiatrists and trainees, are that, within their capability, providers need to assess the efficacy and robustness of cybersecurity of electronic health record systems they use, and carefully consider the information that is recorded to minimise exposures such as in the Vastaamo breach.

Original language	English
Pages (from-to)	106-110
Number of pages	5
Journal	Australasian Psychiatry
Volume	33
Issue number	1
DOIs	https://doi.org/10.1177/10398562241291340
Publication status	Published - Feb 2025

Access to Document

10.1177/10398562241291340

Cite this

@article{7b1a9b3242ba4d86b8144562be38d064,

title = "Cybersecurity lessons from the Vastaamo psychotherapy data breach for psychiatrists and other mental healthcare providers",

abstract = "Objective: The Vastaamo psychotherapy data breach in Finland is perhaps the largest cybersecurity incident in mental healthcare to date, resulting in significant patient harm. There are specific lessons for mental healthcare providers from an analysis of the incident. Method: Case study of this specific electronic health record data breach, based on detailed media reporting. Results: The issues raised include: the importance of governance of the cybersecurity of sensitive personal patient data, such as compliance with legislative requirements on privacy and data security; specific security measures such as de-identification of data, data protection via passwords, multi-factor authentication, firewalls and encryption; and timely and effective communication, and support of those who have been affected. Conclusions: The implications for mental healthcare providers, including psychiatrists and trainees, are that, within their capability, providers need to assess the efficacy and robustness of cybersecurity of electronic health record systems they use, and carefully consider the information that is recorded to minimise exposures such as in the Vastaamo breach.",

keywords = "cybersecurity, data breach, Electronic health record, governance, psychotherapy",

author = "Looi, \{Jeffrey C.L.\} and Stephen Allison and Tarun Bastiampillai and Maguire, \{Paul A.\} and Steve Kisely and Sharon Reutens and Looi, \{Richard C.H.\}",

note = "Publisher Copyright: {\textcopyright} The Royal Australian and New Zealand College of Psychiatrists 2024.",

year = "2025",

month = feb,

doi = "10.1177/10398562241291340",

language = "English",

volume = "33",

pages = "106--110",

journal = "Australasian Psychiatry",

issn = "1039-8562",

publisher = "SAGE Publications",

number = "1",

}

TY - JOUR

T1 - Cybersecurity lessons from the Vastaamo psychotherapy data breach for psychiatrists and other mental healthcare providers

AU - Looi, Jeffrey C.L.

AU - Allison, Stephen

AU - Bastiampillai, Tarun

AU - Maguire, Paul A.

AU - Kisely, Steve

AU - Reutens, Sharon

AU - Looi, Richard C.H.

N1 - Publisher Copyright: © The Royal Australian and New Zealand College of Psychiatrists 2024.

PY - 2025/2

Y1 - 2025/2

N2 - Objective: The Vastaamo psychotherapy data breach in Finland is perhaps the largest cybersecurity incident in mental healthcare to date, resulting in significant patient harm. There are specific lessons for mental healthcare providers from an analysis of the incident. Method: Case study of this specific electronic health record data breach, based on detailed media reporting. Results: The issues raised include: the importance of governance of the cybersecurity of sensitive personal patient data, such as compliance with legislative requirements on privacy and data security; specific security measures such as de-identification of data, data protection via passwords, multi-factor authentication, firewalls and encryption; and timely and effective communication, and support of those who have been affected. Conclusions: The implications for mental healthcare providers, including psychiatrists and trainees, are that, within their capability, providers need to assess the efficacy and robustness of cybersecurity of electronic health record systems they use, and carefully consider the information that is recorded to minimise exposures such as in the Vastaamo breach.

AB - Objective: The Vastaamo psychotherapy data breach in Finland is perhaps the largest cybersecurity incident in mental healthcare to date, resulting in significant patient harm. There are specific lessons for mental healthcare providers from an analysis of the incident. Method: Case study of this specific electronic health record data breach, based on detailed media reporting. Results: The issues raised include: the importance of governance of the cybersecurity of sensitive personal patient data, such as compliance with legislative requirements on privacy and data security; specific security measures such as de-identification of data, data protection via passwords, multi-factor authentication, firewalls and encryption; and timely and effective communication, and support of those who have been affected. Conclusions: The implications for mental healthcare providers, including psychiatrists and trainees, are that, within their capability, providers need to assess the efficacy and robustness of cybersecurity of electronic health record systems they use, and carefully consider the information that is recorded to minimise exposures such as in the Vastaamo breach.

KW - cybersecurity

KW - data breach

KW - Electronic health record

KW - governance

KW - psychotherapy

UR - http://www.scopus.com/inward/record.url?scp=85206949963&partnerID=8YFLogxK

U2 - 10.1177/10398562241291340

DO - 10.1177/10398562241291340

M3 - Article

C2 - 39400039

AN - SCOPUS:85206949963

SN - 1039-8562

VL - 33

SP - 106

EP - 110

JO - Australasian Psychiatry

JF - Australasian Psychiatry

IS - 1

ER -

Cybersecurity lessons from the Vastaamo psychotherapy data breach for psychiatrists and other mental healthcare providers

Abstract

Access to Document

Other files and links

Fingerprint

Cite this