Abstract
OBJECTIVE: The Vastaamo psychotherapy data breach in Finland is perhaps the largest cybersecurity incident in mental healthcare to date, resulting in significant patient harm. There are specific lessons for mental healthcare providers from an analysis of the incident. METHOD: Case study of this specific electronic health record data breach, based on detailed media reporting. RESULTS: The issues raised include: the importance of governance of the cybersecurity of sensitive personal patient data, such as compliance with legislative requirements on privacy and data security; specific security measures such as de-identification of data, data protection via passwords, multi-factor authentication, firewalls and encryption; and timely and effective communication, and support of those who have been affected. CONCLUSIONS: The implications for mental healthcare providers, including psychiatrists and trainees, are that, within their capability, providers need to assess the efficacy and robustness of cybersecurity of electronic health record systems they use, and carefully consider the information that is recorded to minimise exposures such as in the Vastaamo breach.