If you are Finnish, you most certainly have already heard about the Vastaamo data breach case. In short, the client data records of a big Finnish psychotherapy company, Vastaamo, have been hacked, probably twice, and the data and session notes of 60 000 people have been stolen. At least parts of this huge data including people’s names, phone numbers, email addresses, and session records have been publicly available in Tor. Yesterday, on Saturday the 25th, hundreds of the victims started receiving blackmailing emails in which they were threatened that their sensitive data will go public unless they pay the ransom of approximately 200 euros in Bitcoins within 24 hours. During this weekend, a wave of disbelief, rage, and disdain has washed over Finland. You can get more information about what has happened on this article by YLE. In this blog post, you will get my experience of when I was hacked -my Vastaamo data breach story.
Trust: The Treasure that Money Can’t Buy
The basis of therapy is the trust between the therapist and the client. The trust has two main components: Feeling that this person is genuinely here to help me and that whatever I tell them stays between us. Without these building blocks, there is no therapy in any real meaning of the word. You cannot access and formulate your innermost feelings and the most sensitive, shame-inducing, sad, crazy, angry, and difficult thoughts and feelings without feeling that the therapist is holding a secure base for you and is ultimately on your side, like the mother or father figure that many therapy clients never had.
No matter how strong the alliance between the client and the therapist, if the client cannot trust that their data is safe and is not in danger of leaking to outside hands, this alliance is without grounds. So far, we Finnish people have probably been trusting too blindly on the security of our data in all the dozens of data systems that hold our personal information. Naive or not, it has never crossed my mind that my personal records in hospitals and elsewhere in health care would not be safe.
Sometimes, some clients ask good questions of what it is that I write, in which system, and who can see it. Hence, I have taken it as a policy to always make all writing processes associated with my work as a clinical psychologist and career coach as transparent as possible. I tell my clients what I write, for what purpose, and where, who can see it and why, and I give them the chance to read and comment on what I write of them in the official documents that serve some purpose within e.g. the health care or employment services.
My Extortion Experience
When I first read the news of the data breach scandal, I only felt some frustration and anger. I vaguely remembered a time as a young psychologist when I was wondering about love, my relationship patterns, and what prevented me from finding a good relationship. I went to see a therapist in this company, Vastaamo, did I not? I didn’t put too much thought into it and went on treating my own clients, working on my research, and preparing for a fun hackathon event I took part this weekend.
Even when the therapy company sent me an email for a couple of days ago, informing me that my data had also possibly been stolen, I wasn’t very concerned. Why worry about a potential problem -I will deal with a problem when there is one. And I continued focusing on other things.
Yesterday, just after a long day at the hackathon, I received an email from an extortionist. (Translated from Finnish): “Dear Mrs. Heidi Toivonen [my social security number]. As you probably already know from the news, we have hacked the patient records of Vastaamo. We contact you because you have used the therapy and/or psychiatry services of Vastaamo. Because the executive level of Vastaamo has refused to take responsibility of their own mistakes, we are unfortunately forced to ask you to pay to keep your personal information secret.” And so on and so forth, until the bitcoin wallet link at the end of the email.
What I would like to say to this pathetic slime lurking somewhere in his musty garage and hoping he would have a girlfriend and a job: Go f**k yourself. I won’t be the one paying these bitcoins so that you can buy more adult entertainment and coke.
What To Do If you Just Got Hacked/Your Personal Data Was Stolen?
I have many a times noticed that when the storm hits, I become completely calm and go into a hyper-functional mode. I made an official police report and spend a good deal of time making sure that my personal data cannot be misused against me. Good tips are listed in this article. In short, the National Cyber Security Centre is recommending that you take steps to prevent all financial damage by contacting your bank to check whether your online banking credentials have been compromised, report the crime, request ban on credit report at both Asiakastieto and Bisnode, and request address protection. You can also get in touch with the Digital and Population Data Services Agency DVV to request for a prohibition of disclosure of your personal information and request the Finnish Patent and Registration Office not to be entered in the Trade Register without express consent.
After the official steps had been taken, it was time to allow for the feelings of having been violated to come through. It started to sink in that I had just been the victim of a couple of a crimes. I began to understand, albeit remotely, how someone must feel when a burglar has intruded into their home.
Luckily, a little bit of reasoning made it clear that even if all of the therapy talks I have ever had would be published somewhere, I would not be in danger or in any kind of trouble. I started to imagine what kind of therapy sessions I should have had in order to make me panic about them being published somewhere. This revealed to me again something of the different levels of stigma attached to different mental health challenges and how I myself still label and categorize them, being very aware of the heaviness of certain diagnoses, for example. Then I remembered the words, voiced for more than 10 years ago by my clinical training supervisor: “All of us psychologists have the same problems as the clients but hopefully in a milder form.”
Nobody Can Make You Be Ashamed of Something
Going to see a therapist, whether it’s once or twice or for five years, is not a shame. It shows that you recognize your problems and are willing to take responsibility (probably unknown concepts altogether for the squibs behind this data breach saga). Everybody who takes care of themselves in any manner should be proud of it. Even if I do understand the feelings of fear and anger that people can have in this situation, I hope nobody feels shame and if they do, I hope there is someone nearby to talk them out of it. Many people are also worried of all the possible consequences of what could happen when their personal contact information and social security number are in the wrong hands, and this fear is in many cases entangled with other worries of what having your therapy records go public could bring about.
Currently, the Finnish people are joining their forces in a truly touching manner. The social media and newspapers display a unified message: Everybody is siding with the victims of the data breach and judging the hacker(s) and the person/people sending the blackmailing messages (we are most likely talking about two different groups or individuals).
I have been touched to see mental health professionals sharing a message that reads “Taking care of your mental health is nothing to be ashamed of. I also need therapy. All support to the victims of the Vastaamo data breach. You are not alone.” There are celebrities stepping out on social media, telling openly that they have been victims, too, and thus also sharing the fact that they have been to therapy. Newspapers and social media are flooded with tips on what to do, how to protect your data, and helplines to contact.
The police is working hard with extra officers and in collaboration with enraged hackers, the government is having an emergency meeting. The spirit is clear: Whoever are behind this are losers, and we all could have gone to therapy (or did).
The impact this breach has on the trust of thousands of people who had problems in trusting to begin with is beyond measure. The fear of vulnerable people who have had their privacy and intimate processes violated is valid and understandable. I cannot even imagine how worried a person with for example years of therapy records on Vastaamo database can be, or how scared a person who believes their career or private life could be impacted by the information leaked. However, the shared rage and concern that I witness by Finns offline and online has a deeper message: We are all in this together.
We all have a mental health. We all encounter complexities that are beyond what we can figure out on our own. Mental well-being and mental illness are not black and white categories but a scale with an infinite range of greys. We all have an intimate inner world and a need to protect some parts of ourselves. We all have a need to draw a circle around certain things and say “This is mine and I choose carefully with whom I share it”.
My Therapy Session (Retrospective Notes)
I remember quite well my one and only visit to this therapy company. It was a time between boyfriends when I felt that there is a maladaptive pattern that keeps me attracted to cold and unavailable men, and even if I had worked on this, I was still repeating the same game. I booked a session with someone I thought, based on their profile text on the company’s website, would have a fresh perspective on these dynamics.
I remember from this session that took place probably around 2012, that the therapist was very pretty and well dressed and had an impressive hairdo. I didn’t feel a great personal presence of the therapist, I didn’t feel a real connection. I remember her asking in a harsh voice, probably intending to sound direct, “I’m just wondering here how you find all these emotionally unavailable guys?”. I thought that this question was not really empathetic, nor did it offer any revelation: Wondering about this was the exact reason I had booked the meeting in the first place. I remember the session had a tense and rather superficial vibe. The therapist’s beehive hair is my most vivid memory of the meeting, together my feeling of disappointment. I felt the therapist was there because she wanted clients for the money, not because she felt any passion to help me.
When she then after the meeting walked me out of the room to the hallway, a couple came towards us and she greeted them in passing. They were the clients of the next meeting, and as soon as she had left me at the door, she returned back to the office with them. I felt like on a production line -one client out, next ones in. In my mind, this production line feeling merged with my feeling that we were not really forming a genuine contact in the session, and I never returned to see her.
I have seen a few other therapists, too, both before her and after her. They were not at Vastaamo. For example, When I got tired in a previous job many years ago, I discussed my motivations to stay and motivations to leave with a professional, and when I wanted to give a boost to myself trying to learn to be more clear with my boundaries, I saw a therapist. To me, going to a therapist is no different from going to a hairdresser or to a dentist. If I don’t like my hair, I go to a hairdresser to figure out what we can do about it. If I have a toothache, I find the best professional to help me with that.
Dear Hacker and Dear Extortionist
Dear hacker and dear extortionist: I could not care less if you publish my session notes somewhere. I am proud to have seen a therapist, in fact, a bunch of therapists for different reasons in different phases of my life. It makes me a better therapist myself, with the same logic that if I were a truck driver, it would be a big part of my work ethics to go and have the tires changed every now and then. Nobody who has gone to a therapist for any reason for any length of time has nothing to be ashamed of. But this bravery of the clients is nothing public, it is a private escapade.
The sessions and the notes written by the therapist, this necessary archive of details and understanding developed during the meeting, is a collage of communication between the client and the therapist. It belongs to the deep and intimate realm of life that consists of our fantasies, nightmares, dreams, hopes, fears, conflicts, monsters, highest joys and deepest worries. To steal these and to try and profit with them, even referring to the “irresponsibility of Vastaamo” as an excuse, is simply cowardly and cruel.
Dear Hacker and Dear Extortionist, it is completely against my nature to hope anything bad to anyone, but I do hope that you get to seed what you sow and that both the earthly justice and the unearthly logic of karma do us all a favor. In my imagination, karma setting the records straight is you having a taste of your own medicine: Having your most embarrassing fantasies and fears ripped out of your subconscious and exposed publicly, visible for all of us. Feeling in your bones the terror of such a prospect, laying awake in the night thinking what could be your worst secret you don’t want to go public and then seeing a sweaty, tormented nightmare where you are running around the city completely naked.
May We Not Feel Alone or Ashamed
May the rest of us continue to restore our trust on each other and even on data systems. After all, beyond the evident but hopefully temporary loss of trust on data security, therapy companies, and the decency of humankind, there is a deeper layer of meaning in this saga. It is the fact that we are all in this together. The whole Finland. 60 000 people is not some small weird minority. It is all kinds of people going to therapists and doctors for a million different reasons. It is your neighbor, brother, colleague, the mailman and the grocery store cashier.
We all have a mind and we all have mental health, more or less of it. May we not be ashamed. My Vastaamo data breach story culminates in this realization: I am not ashamed of anything that I have done, not even of those things I would, in retrospect, choose to do differently, if I had the chance. I most certainly am not ashamed of going to therapy, because I would not be ashamed of going to a hairdresser or to a dentist.
I hope this chain of events leads to reduced stigma of mental health issues and a strong sense of unity -Finns standing together, hackers helping the police, public figures joining this I-needed-therapy-too -movement. We can be angry, disappointed, and have many other feelings, but may we not feel alone or ashamed.