40 comments

  • ChrisMarshallNY 1250 days ago
    This is a classic "Damoclean sword" conundrum.

    The ability to digitize and aggregate the data, and maybe even subject it to some kinds of AI, might result in massive improvement in therapy.

    Mental health treatment has come an incredibly long way, just in the last couple of decades. It's even more amazing, when you look at how it went a hundred years ago. Some of the reasons are because of the ability to study treatment methodologies and outcomes.

    But having the data in a place that can happen, is very, very risky.

    People with mental health problems tend to be treated as "disposable people" by a lot of folks. I guarantee that the first thing the hackers did, was find a way to "dehumanize" the people in their data. Having the people as "data" went a long way towards that.

    But people will die as a direct result of this breach. That's not hyperbole. It will happen. Some people will commit suicide, some will avoid treatment, causing all kinds of collateral damage, and some may actually kill other people, because of this.

    I have a lot of close, personal experience with people suffering from mental health issues, and this is about as bad a nightmare as you can imagine.

    It will reverberate around the world.

    • dijksterhuis 1250 days ago
      If anyone out there ever reaches that dark place of wanting to commit suicide, please remember that you can speak to someone, for free, 24/7 on these numbers for USA and UK.

      * US national suicide hotline: 1-800-273-TALK (8255)

      * UK Samaritans hotline: 116 123

      You can go to one of these sites for phone numbers in other countries:

      * https://www.suicidestop.com/call_a_hotline.html

      * https://wikipedia.org/wiki/List_of_suicide_crisis_lines

      Whatever happens, whatever you've done, I think your life is worth saving. Even if you don't.

      Edit: updated with lists for rest of world.

      • dleslie 1250 days ago
        Perhaps this is a nitpick, but in the interest of raising awareness and diminishing harm I would like to add that not everyone who attempts suicide is in a dark place.

        I have a close, immediate family member who has attempted suicide on numerous occasions. Sometimes she was in a dark place of depression and despair, for sure, but other times she was high on life and full of energy. Those times it would be a sudden urge that came over her, and not an outcome of despair.

        • justaj 1250 days ago
          Wouldn't one classify such sudden urges as sudden dark places then?
          • klodolph 1250 days ago
            You could, but it's not a very helpful way to think about things.

            If you think, "I want to commit suicide, therefore I must be in a dark place," it's putting the cart before the horse, for sure. Most people are under the illusion that suicidal thoughts stem from feelings of depression / sadness, and the reality is that these are three entirely different things: suicidal thoughts, depression, and sadness are three things which are often very different from each other.

            So you think someone must be sad because they have depression, or they must not be depressed because they aren't sad, and these incorrect beliefs can lead to harm.

            And you also think that someone who is not acting sad or depressed must not be thinking about suicide, when very often someone who has decided to commit suicide may feel very happy or liberated having made that choice.

            It can be really enlightening to talk to different people who have experienced or who experience suicidal ideation, because their experiences are varied, and while suicidal ideation is considered a risk factor, it doesn't mean that you're more likely to commit suicide and the people with suicidal ideation are often reluctant to talk about it because of the stigma. Like, "I experience suicidal thoughts, and I want to talk about them, but if I talk about them, people will wrongly think I want to commit suicide, or wrongly think that I am depressed, or wrongly think I am sad, so I am unlikely to get the sympathy or help I need and it is likely that talking about it will have a negative impact on my relationships."

            • PhilosAccnting 1249 days ago
              As a former suicide-considering person (never attempted), I sincerely believe it's worth separating the action from the desire.

              We get all sorts of desires. The mind is full of inactive, dormant code. But, when we get one of them, then entertain it long enough, and the environment is just right, people most certainly will do horrible things, including killing themselves and others.

              I'm not implying that it's all programmable, but more that decisions are the consequence of many variables after the initial temptation.

      • creata 1250 days ago
        On this subject, how do I know that the fact that I used these services (and other mental health services) won't ever be used against me? From data abuse, to hacks (as in this article), to the questionable act of involuntary confinement, there's a lot of reasons people are scared of using these services.
        • dijksterhuis 1250 days ago
          From: https://www.samaritans.org/how-we-can-help/contact-samaritan...

          Is this service confidential?

          Yes, except for in certain situations where our safeguarding policy means we may tell someone, for example, by calling an ambulance. Read more about when we do this.

          On the phone

          When you call Samaritans, your number is not displayed to our volunteer. The phones we use don’t have caller display information on them.

          We might ask your name, because it’s a natural question to ask in a conversation, or because of something you have said to us, but you don’t have to tell us if you prefer not to.

          Via email

          If you've emailed us, your email address will not be shown to the volunteer.

          In person

          You don’t have to tell us your name if you don’t want to. In the unlikely event that you see the Samaritan volunteer that you spoke to later on the street, the Samaritans volunteer will not acknowledge you, unless you do so first. This is to respect your privacy and the confidentiality of your visit, unless you wish to recognise it.

          By Letter

          We will need your name and address to reply, but to maintain confidentiality, your letter will be shredded once we have sent you our response.

      • renewiltord 1250 days ago
        This is a pretty enduring meme (in the Dawkins sense). I wonder if it has any effect at all.
        • ineedasername 1250 days ago
          You don't need to wonder. Millions [0] of people call it each year, and that doesn't happen without it being disseminated. Dissemination works.

          As further evidence (albeit anecdotal) I have noticed, especially in light of prominent suicides in the last few years, that the information posted seems to be getting more attention, with, as you called it, meme-like inclusion almost everywhere and every time suicide is discussed. This has correlated with an increase in the number of calls they receive.

          They have received more than 12,000,000 calls since 2005, with 8,500,000 just between 2014-2018, much faster than the increases in suicide rates.

          [0] https://suicidepreventionlifeline.org/wp-content/uploads/201...

          • laurent92 1250 days ago
            However, people who call are not necessarily people who would commit. There is little correlation between phone calls and actual progress, if not the usual « giving an impression of progress, while the problem entrenches itself. » Those may be two groups with surprisingly little overlap. I’ve called 6 numbers when I thought about it, none of them answered (turns out in France they’re all closed after 9pm, badly staffed, or reserved for teens or women), yet I didn’t commit suicide (I did commit criminal activity though, as a revenge for society not returning my call to this day, and generally society being vengeful towards men because supposed ancestors were supposedly mean to women).

            People who commit have real problems that a phone call generally doesn’t solve, unless your problem is just about feelings, which is... let’s say it helps those who call for attention a lot, and who would end up with a failed attempt to call for attention, which will attract attention, but it will hide the real x5 numbers behind the scenes of the other gender who actually commits suicide when they try.

            It’s time to stop with the « let’s speak about it » attitude, and start with the « let’s give you funds/education/solve your parental problems/throw the book at your boss/mandate your wife to let you see your kids/stop sidestepping you at work/fix the VA together » attitude.

            Men are not an option.

            • ineedasername 1250 days ago
              You are very much mis-chracterizing the type of person who considers, attempts, or commits suicide. Many people seeking help are grasping at the last slight hope that something, anything, might make things better. Characterizing that population as "attention seeking" or "just about feeling" is an extreme insult to those honestly seeking help.

              I have a certain degree of personal knowledge on this topic, and there are absolutely people who would be dead right know if they made that call... And no one picked up on the other end.

            • watwut 1250 days ago
              I like how you are trying to frame issue as sexism against males while also throwing around stereotypes that prevent males to seek help for their mental health problems.

              Also, I don't understand why is so much anger around people who are so starving and desperate for attention. You was quite apparently looking for attention too. That you turned frustration at others does not make it less so.

        • scrollaway 1250 days ago
          During a US trip (before the extent of today's always-on mobile internet), I was unaware that 911 was the wrong number to call when you're close to suicide.

          They won't call the suicide hotline for you. They won't transfer you. They won't share their number. What they'll do is send the police.

          I can safely say, in retrospect, that although I survived it, it took nearly a decade to fully heal from that event. But in the mean time, I also learned (thanks to posts like these) about the Samaritans and later in the UK, they helped me get through the tougher moments of this process.

          I don't know how significant the effect is, but it's non-zero. :)

          • Kye 1250 days ago
            A growing number of places are realizing that sending a militarized police force for mental health crises is not a good idea and turning to actual qualified people instead.
          • dijksterhuis 1250 days ago
            Sounds horrible. Glad to hear that you found the help you needed.
        • op00to 1250 days ago
          It’s my experience that such lines are impersonal, with staffers that fail to understand and humanize the caller.
          • dijksterhuis 1250 days ago
            I'm sorry you had a bad experience. My first Samaritans call wasn't exactly a breeze either (a lot of uhuh, sure, yeah).

            I will say -- these phone lines are staffed by human beings. Even with the best of intentions, they're just that, humans. They wont always get it right.

            But, when they do, it can be life changing.

            I'm always grateful for the kind Samaritans lady who stayed on the phone for over an hour one night.

        • wavefunction 1250 days ago
          Even once person saved is an effect.
      • chopin 1250 days ago
        The problem with these lines is that you need to out yourself having mental problems. After this breach I'd be very reluctant to do this. Eg. in Germany, pseudonymous health data is centrally stored for research purposes, open to a non-specified number of research institutions.
    • hutzlibu 1250 days ago
      "Mental health treatment has come an incredibly long way, just in the last couple of decades."

      Personally I am not convinced about that. Or do you mean that from an academic perspective?

      Because in the real world, the therapy method I have mostly seen, was and is keeping people calm with pills.

      • ChrisMarshallNY 1250 days ago
        Um...I have close, personal, and intimate relationships with many people that suffer from mental illness, and have had this for decades.

        I do a lot of "extracurricular" work, trying to help folks get back on their feet.

        So, not academic. Personal.

        > Because in the real world, the therapy method I have mostly seen, was and is keeping people calm with pills.

        I consider that offensive. It's a fairly classic "strawman" argument that is used to "dehumanize" people that suffer from mental illness, and also dehumanize people trying to help them. I know many people that would be in very dire straits, if not for medication, therapy, and many years of hard work.

        I'm pretty upset by this, and by the reactions.

        I am not a therapist. Just someone with "skin in the game."

        These aren't "data points." These are people, and chances are good that we all have folks in our orbit that have mental health issues.

        • meritganset 1250 days ago
          To be fair, you made a claim that "mental health treatment has come an incredibly long way". And the only evidence you have offered to back that up is a vague personal anecdote.

          The poster was simply providing their viewpoint on the state of mental health that differs from yours.

          I understand these things can cause strong emotions, but you don't do yourself or your stance any favors by letting it get the best of you here.

          • behringer 1250 days ago
            Vague personal anecdote's versus hutzlibu's vague personal anecdotes.

            Quite frankly, the pills work. A lot of people would unable to lead normal lives without them.

            • BigBubbleButt 1250 days ago
              > Quite frankly, the pills work.

              Sometimes they do and sometimes they don't. I had a seizure because of medication I was put on for a mental illness I didn't believe I had. I wasn't 18 and my parents essentially forced me to take them. The pills didn't do anything for me besides give me a seizure that easily could've killed me (I was hospitalized).

              There's also actual research suggesting these pills can increase suicide attempts.

              https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3353604/

              There is enormous money to be made suggesting these pills are useful, so I don't just assume it to be true. I also know many other people who feel anti-depressants ruined their lives. I also know many people who feel anti-depressants saved their lives.

              It's not black and white. Personally, I feel the efficacy of pills for mental health are greatly exaggerated - but it's easy to see why I might be biased.

              • jedimastert 1249 days ago
                > a mental illness I didn't believe I had

                I don't know your personal journey, but I think it would be fairly easy to find people with very deep, very real mental health problems who fully believe they do not have a problem.

                > The pills didn't do anything for me

                Again, I don't know your personal journey, but as a counter anecdote when I started taking medication I couldn't tell if they were having any effect at all, but apparently it had such an effect that some of the people around me could tell me the day I started taking it, along with measurable improvements.

                Not to invalidate your experiences, just adding to the anecdotal pool

              • OpticalWindows 1250 days ago
                Also the placebo effect is right on their heels in terms of effectiveness
                • lazyasciiart 1250 days ago
                  Can the placebo exist without the "real" pills? More practically, does anyone prescribe placebo outside of a clinical trial?
                  • Reelin 1249 days ago
                    Yes. It is the same real, measurable response you would get from an effective medication even though no medication was given. In many cases the rate at which placebo occurs is surprisingly high. (https://www.medicalnewstoday.com/articles/306437)
                    • lazyasciiart 1248 days ago
                      I know what placebos are. But the effect is created by telling the patient you gave them medication. So I don't believe it's possible to make "treatment by placebo" a standard.
                  • manquer 1250 days ago
                    Homeopathic treatment is largely placebo.

                    A board certified doc will never prescribe placebo he will get sued, plenty of ppl are getting them via alternative medicine though

            • minerjoe 1250 days ago
              They do work. They also harm many people also.
          • ChrisMarshallNY 1250 days ago
            To be fair, even though I am not, myself, a therapist, I have been dealing with them for decades.

            It's not "vague, personal anecdotes." It's real world experience.

            But you are right. This is upsetting, and seeing the way that it is being treated by people that I respect, otherwise, is upsetting.

            This is the last I'll say anything.

            • airstrike 1250 days ago
              Vague personal anecdotes doesn't mean they are not from the real world.

              You're taking someone else's valid criticism of the state of the therapy methods available today and taking it personally as well as unwarrantedly attributing it to a lack of sympathy.

              You fail to understand that the goal of criticizing the therapy method is precisely so we may find ways to improve it.

              • tsm_sf 1250 days ago
                What makes this single point of view a valid criticism?
                • hn_throwaway_99 1250 days ago
                  Because, getting back to the original point, stating "Mental health treatment has come an incredibly long way, just in the last couple of decades" without offering any substantive support for this viewpoint (regardless of whether one's anecdotes are "real world" or not) is, in and of itself, a valid criticism. The onus is on the person making the claim to provide a rationale to back it up.
                • airstrike 1250 days ago
                  What makes it not valid? It would actually be great to have an answer to that instead of the parent's complaints
        • hutzlibu 1250 days ago
          "> Because in the real world, the therapy method I have mostly seen, was and is keeping people calm with pills.

          I consider that offensive"

          You might also consider, that other people might have a "skin in the game", with close, intimate relationship to mental illnes patients, too. Some of them tragic.

          And my experience simply is not, that in general psychotherapy evolved a lot. I see rather a trend to favor pills to keep people calm as this is cheaper, than deep psychoanalytical therapy.

          So consider that offensive, if you must, downvote, if that makes you feel better, but it does not change my personal experience.

        • andypea 1250 days ago
          I completely agree with you. I know many people who's lives are made much easier because they have access to medication. The last fifty years have also seen a massive improvement in the lives of people with severe mental health problems (in europe at least).

          However, support for people with mental health problems is still severly underfunded. The improvements we have seen say as much about the terrible treatment of the past as they do about how well we are doing now.

          Almost all studies I have read find that a combination of medication and other therapies provide for the best outcomes. Most people can only get funding for medication, which is often better than nothing, but it really falls short of what society could, relatively easily, provide.

          It is really a tragedy, not just to the individuals suffering from mental health problems, but also to society as a whole which misses out from all the untapped productivity and creativity.

        • LudwigNagasena 1250 days ago
          It is sad that instead of providing evidence that would support your claim you basically called the person you replied to a nazi that dehumanizes mentally ill people.
        • Dahoon 1250 days ago
          And I have close, personal, and intimate relationships with mental illness and its medication myself and if you do know so much as you claim you would know that many (as in likely most) physicians today think the future will see our current medications on par with lobotomies. Anti-psychotic medicine especially is seen as chemical lobotomies. On top of that when 1/3 of the US population is on antidepressants these medications clearly doesn't work either.

          https://www.psychologytoday.com/us/blog/out-the-darkness/201...

          You might have "skin in the game" but then it is depressing you do not know that almost all mentally ill people would in the long run be healthier without these pills. They mostly only work short-term and absolutely destroy ones health long term. You should be advocating for people to get short-term medically help and long term medicine-free therapeutic help if you really care.

          • stjohnswarts 1250 days ago
            This is a terrible sentiment. You aren't a mental health expert. I have seen more than a couple of people come back from the edge because of medications. We use pills for other issues like heart disease, diabetes, etc and people live a relatively normal life. The brain is just an organ. Sure some people would be better off without medication, but lots more would be dead or locked up in a mental institution. Lots of people have chemical imbalances and no matter how much "lie back and tell me your problems" they get they will never be well. Are medications over-prescribed I'm sure that's true in some cases as well.
            • profile53 1250 days ago
              I have worked directly and indirectly in inpatient mental health settings intermittently. The parent poster's view is correct with regards to my experience.

              Yes, for some people antipsychotics, antidepressants, etc. are a godsend and the difference between living a mostly normal and productive life vs. jumping off a bridge, dying in a homeless encampment because they cannot feed themselves, or committing violent acts against others. To clarify, none of these are hyperbole or exaggeration -- those are two extremes on outcome with mental health issues and antipsychotics can be the difference between the two.

              That being said, many, if not most, physicians I have worked with agree with the parent comment. For many patients these medications are not effective and are used as chemical restraints [0] rather than with the goal of normalizing their mental health. Eventually the logic becomes "we'll never fix them, but we can sedate them so much they won't hurt themselves or others" so dosages progressively increase until the patient becomes more sedated and somewhat zombie like. This isn't hospital specific; I have seen it across 3-4 different hospitals in different states. Neuroscience and psychiatry is a very young field and the truth is that we do not know what causes mental health issues or how to deal with them. The chemical imbalance theory is just that, a theory, and more importantly, one with very little scientific proof and backing [1].

              [0] https://www.medicinenet.com/what_is_an_example_of_chemical_r... [1] https://www.healthline.com/health/chemical-imbalance-in-the-...

            • Negitivefrags 1250 days ago
              I would be much more willing to believe the chemical imbalance concept if someone could actually explain which chemicals, and what the correct balance is.

              Serotonin you may say? Okay, how much is the correct amount of serotonin then? Can you just give me a test to see if I have the right amount?

              What’s going on here is not quantifiable science. It’s throw something at the wall and see what sticks.

              • knowingwedont 1250 days ago
                You might be surprised at the number of medications which are effective for specific conditions or symptoms but for which we don't know the mechanism that achieves the effect.

                Yes, modern medicine has a large component of throwing stuff at the wall to see if it sticks.

                If it sticks, and it passes all the usual clinical trials to prove it does more good than harm, it's approved, even if we don't understand exactly why it works.

              • lazyasciiart 1250 days ago
                Try looking deeply into almost any specific condition - let's take heart disease. Cholesterol, for instance - is it bad? Is it necessary? Do you need a certain amount or does the amount not matter so long as you have the correct ratio of fats? Why are some people perfectly healthy with cholesterol numbers off the roof, and others can have atherosclerosis with cholesterol numbers off the charts low? Will reducing cholesterol for that second person help them? Hurt them?

                For the record, the treatment plan my cardiologist put me on was explained as "all these things seem correlated with not having heart attacks so we'll just do them all and hope it helps you".

              • matz1 1250 days ago
                I think the best the pill can do right now is to at least making some disturbance to change the balance and hoping it produce desirable outcome.

                Yes basically throw something at the wall and hoping it stick.

            • noctua 1250 days ago
              Is the chemical imbalance theory accepted by all the experts? I remember seeing an article that questioned it. It also pointed to a study which showed that a lot of the antidepressant effect can be attributed to just placebo. I personally don't know much about the subject though so I don't know what sources to trust.
              • pessimizer 1250 days ago
                It's not, but it's something that has been lobbied and astroturfed into being offensive to disagree with, and is about 2 years from being censored on twitter and facebook (if it isn't already.) There are millions of people who, in the middle of severe episodes, were given particular drugs. They eventually recovered from these episodes (or they didn't, but we don't hear from those people.) They've been told that they they will quickly end up back in the middle of the despair they were in if they cease taking them (lots do while continuing to take them, but we don't hear from those people.) Now you're questioning (and implicitly threatening) their lifeline.

                These people are fighting for their lives, and are taken advantage of by an industry. It also doesn't help that plenty of antipsychotics are crucial for people to take, but that's because those are drugs that actually make it difficult to think for people whose thoughts get out of control. They don't claim to be eradicating the chemicals or deficiencies of chemicals that cause all psychosis.

                The tactic of pharmaceutical companies creating patients' groups to get sufferers together and lobby "on their behalf" has been going on since the 80s. It's bulletproof, and impossible to attack. In the case of antidepressants, they've also guided them into defending these drugs as a class, rather than on an individual basis.

                Funded patients' groups also played a huge part in the prescription opiate epidemic; it doesn't matter how much science says that long-term opiates aren't helping chronic pain, you have to be heartless to dismiss someone with a known painful condition or injury when they're pleading for opiates. Even though you know that people who had nothing wrong with them before going on opiates would plead just as intensely.

                • profile53 1249 days ago
                  I am in agreement with a fair amount of what you said about overprescription, the lack of scientific backing for the chemical imbalance theory, and the less than stellar effectiveness of antipsychotics. But the way you're presenting it makes it sound like a conspiracy theory and truthfully comes off somewhat illogical and paranoid. That takes a lot away from your argument. Maybe there is a conspiracy, but if there is, then you need to back it up with proof or sources.

                  On another note, there is one thing you are absolutely incorrect about: antipsychotics are not ineffective managing many mental health disorders. Large clinical trials are done before these drugs are even approved for the sole purpose of proving they are better than no treatment.

      • artichokes 1250 days ago
        Suicide rates and mental health conditions are skyrocketing. The effect of all this push about "mental health" has been to convince more and more people to believe they have mental health problems. And adopting this label does not seem to benefit their lives.
        • dijksterhuis 1250 days ago
          > The effect of all this push about "mental health" has been to convince more and more people to believe they have mental health problems.

          > Suicide rates ... are skyrocketing.

          I'm confused. You seem to be suggesting that having more conversations about mental health is to blame for an increase of people committing suicide.

          This is the exact opposite of my lived experience.

          Conversations about my mental health and my problems are why I'm alive (and have no intention of taking my own life) today.

          If you have a different lived experience, then fair enough.

          But I'd respectfully suggest to take care painting with such a wide, sweeping brush next time. Life ain't binary. Especially when it comes to mental health.

          • hutzlibu 1250 days ago
            "You seem to be suggesting that having more conversations about mental health is to blame for an increase of people committing suicide."

            I do not see him suggesting that. He was suggesting that "labeling" more and more people as mentally ill might cause more bad, than good.

            Allmost everybody has psychological problems. And yes, it is very important to be able to speak about it openly. But it is a different thing to have "mental problems", or to have a "medical mental condition".

            • ViViDboarder 1250 days ago
              Is there a push to label more people as mentally ill? From what I’ve seen, the push to destigmatize mental health is done to avoid labeling and treat mental health the way we treat general health. For example, treat stress and anxiety as health concerns whereby you can/should take time off if you need to recover from stress as you would a cold. Or, if having difficulty reducing your stress, to see a therapist without any social stigma.
              • staticman2 1250 days ago
                Labeling people mentally ill is how the mental health industry convinces insurance companies to pay them for their services.

                It's also probably not possible to convince the government to let doctors prescribe potentially mind altering drugs to people unless they say the people taking drugs are "ill" and the doctors are treating the "illness".

                So yes I'd say there is a push to label people as ill.

                • adamsea 1250 days ago
                  What I think would be awesome is if mental health was de-stigmatized. Like physical health is.

                  I feel like back in the day - our grandparents, or their grandparents, perhaps you'd see men who didn't want to go to the doctor.

                  Now it is completely normal and expected to get a yearly physical. IMHO we all should be getting a yearly "mental", as well (with a psychologist, not a psychiatrist), and it should be both normal and expected.

                  • staticman2 1247 days ago
                    Back in the day a doctor might make you less healthy, not more, especially in the era before they knew to sterilize surgical tools.

                    You obviously aren't concerned that the "professional brain jargon talking person" will make things worse. I know from experience they sometimes do.

                    I don't trust mental health professionals nearly as much as you do.

        • jimmygrapes 1250 days ago
          I believe you are correct, specifically about the label; allowing a mental health concern to be your identity, or even just part of it, can be more disabling than the problem itself. It also allows many people who would otherwise find ways to cope (healthily or not) to use the label as a crutch. "My depression made me..." or "My autism causes me to..." are not uncommon phrases to hear now.
          • omgwtfbyobbq 1250 days ago
            It can be. On the flip side, I think there are people, who have been labeled negatively (eg lazy) because of a behavioral or medical condition, and now associate the traits that have been viewed negatively with that condition.
            • sascha_sl 1250 days ago
              Stigma is a huge problem, especially when initially seeking help. Burnout took years to be added to diagnostic manuals, and still people are scoffing whenever someone drops out after being worked to the bone for months.
              • eurasiantiger 1250 days ago
                In Finland, burnout is not considered a valid reason for sick leave. Depression is, so people are only given sick leave if they accept that diagnosis and medication.
                • mushbino 1250 days ago
                  It's basically the same in the US. Taking care of your "Mental Health" is corporate speak for burnout. There is talk about avoiding burnout, but if someone has to actually take leave because of it, there are no legal protections for burnout, but there are for mental health issues. Mental health can be treated, but burnout is harder to come back from in the eyes of the company.
          • sascha_sl 1250 days ago
            This is a fun way to avoid the actual thing we should talk about: We have systemic issues in our society that make people sick. Treating impacted mental health exclusively as a cause in and of itself - a personal issue - is a serious oversight, especially when we know those that have to fear for their survival living paycheck to paycheck are at much, much greater risk.

            I'm sure you can think of different social developments that relate to this too if you're a hardline "you are responsible for your own situation" capitalist without much thought given to individual privilege. There's plenty of others. Let's take social media incentivizing only sharing positive things, leading to bias when comparing your situation to others, for instance.

            The current system is a band aid on top of structural issues, nothing else. No amount of CBT and SSRIs can fix these.

            • forgotmypw17 1250 days ago
              this, a hundred times.

              the labels are a form of victim-blaming.

            • adamsea 1250 days ago
              Agreed, but both can be true to varying degrees at the same time.

              Bipolar disorder, clinical depression / major depressive issues, etc.

              Plus, since each "band aid" in this case is a human life - a person who may then be able to go on to help others and reform the system, I'm definitely a fan of pursuing both avenues at the same time.

              • sascha_sl 1250 days ago
                Of course mood affecting disorders exist on their own, it is just that they are heavily exacerbated in those susceptible to them if they have to constantly stress about their existence. By band-aid I meant more that they are a detraction from the root cause. As I said before, our forms of treatment can not cure these conditions as long as the root cause is not tackled.
                • adamsea 1249 days ago
                  Mostly agreed. However with, bipolar disorder for example, I'm not sure that the problems with our society are the root cause ... though I suppose perhaps increased pollutants might cause more issues with children/birth.

                  But still, my point is I don't believe 100% of mental health issues have the dysfunctions in our society as their root cause.

                  Which isn't to say that some do and that it's not a big deal - it is.

        • throwaway2245 1249 days ago
          >Suicide rates... are skyrocketing

          Not globally. A search suggests suicide rates are down 15% in 10 years. That is, suicides have gone down remarkably.

          If we're talking about the UK/US (which I haven't sourced but I can believe), it's more likely that conservative policies are driving people to feel they have no alternative.

        • chillwaves 1250 days ago
          You may have your causation/correlation confused.
      • LatteLazy 1250 days ago
        I agree. Most of the "progress" seems to be shiny press releases about wonder drugs. Then you look at the literature and discover 5% effectiveness for ideal uses and serious side effects. It's very important to "seek help" but that doesn't mean any actually exists.
      • Aeolun 1250 days ago
        > Because in the real world, the therapy method I have mostly seen, was and is keeping people calm with pills.

        I dunno, in most common diseases going around right now the solution is to treat people with pills. How is depression any different?

        • hutzlibu 1250 days ago
          First, well "keeping people calm" with pills is not making people healthy again.

          Secondly: a bacteria infection and the treatment with antibiotic is very well understood - and is actually solving the issue.

          The brain is not at all understood. Lifting peoples mood with drugs is not solving, why they were constant unhappy in the first place.

      • totierne2 1250 days ago
        Key thing is in employment. The damage of the pills vs likelihood of an episode at work. (Work may not know if your mental health diagnosis). Once you hit retirement you can stop taking medication.
      • robotnikman 1248 days ago
        I think the fact that we no longer use barbaric practices such as lobotomies certainly counts.

        Still, we have only the faintest idea of how the mind truly works.

      • TeaDrunk 1250 days ago
        In the last couple of decades we've dissociated autism from schizophrenia, declared homosexuality and being trans no longer a mental illness, and uncovered therapeutic techniques like cognitive behavioral therapy which has real, measured, repeat-study impact in lowering people's risk of suicide.
        • jokethrowaway 1250 days ago
          That's mostly incorrect. Only Gender Identity Disorder -> Gender Dysphoria happened in the last 2 decades.

          CBT is great and I personally benefited from it, but it's not a recent phenomenon and its effectiveness is very hard to evaluate. There was a meta-study analysis in 2015 that pointed at a decline in its effectiveness between 1977 and 2014. I wonder whether it's because studying anything to do with a human brain is hard and we can't trust the numbers or if it's because of changes in society that caused people's personality to shift in a direction which makes CBT less effective.

          Autism and schizophrenia were differentiated in 1980, so that's not in the last 2 decades.

          Homosexuality stopped being a mental illness in 1973 (or 1987 if you include sexual orientation disturbance), so that's not in the last 2 decades. This was a great success, there were studies that pointed at a marked decrease in suicides among people in same-sex relationship over time.

          Gender Identity Disorder stopped being a mental illness in 2013 but I think the issue has been politicised and the outcome doesn't necessarily make a lot of sense. I can bring a personal anecdote from a friend of mine who started using a female name for a period and wanted to perform a reaffirmation surgery, who later changed his mind.

          - Most kids who experience gender dysphoria before puberty grow out of it.

          - Suicide rates are high even after reaffirmation surgery and even in western societies, which are accepting of transgenders. Moreover, if discrimination was the cause of suicide rates, I think we would see a high suicide rate in minorities. There is way more discrimination towards people of color than towards transgender.

          - If Gender Identity Disorder is not a mental illness, shouldn't we be consistent and label Body Integrity Dysphoria (aka people who believe they're amputee) as diversity and approve of cutting off of healthy limbs?

          I'm skeptical on including this as a win for the field.

          • pessimizer 1250 days ago
            > Homosexuality stopped being a mental illness in 1973 (or 1987 if you include sexual orientation disturbance), so that's not in the last 2 decades. This was a great success, there were studies that pointed at a marked decrease in suicides among people in same-sex relationship over time.

            And while it's progress for psychology itself, and good for society, it's certainly not an achievement. People were killing themselves and being institutionalized because psychologists were calling them insane, and this stopped happening when psychology chose to stop calling them insane. I can't claim an important discovery in abuse prevention if I choose to stop abusing someone.

          • LudwigNagasena 1250 days ago
            > There was a meta-study analysis in 2015 that pointed at a decline in its effectiveness between 1977 and 2014. I wonder whether it's because studying anything to do with a human brain is hard and we can't trust the numbers or if it's because of changes in society that caused people's personality to shift in a direction which makes CBT less effective.

            Another theory is that methodology doesn’t matter and the result mostly depends on personal qualities of the psychiatrist. And CBT was effective because the best specialists adopted it. When the rest of the profession caught up effectiveness went down.

          • est31 1250 days ago
            > Homosexuality stopped being a mental illness in 1973 (or 1987 if you include sexual orientation disturbance)

            Depends on your country. The WHO's ICD-9 document, published in 1977, still included homosexuality as a disease. It was removed in ICD-10, but it was only published in 1990. Countries adopted it in the 1990s and early 2000s. Germany belongs to the group which adopted it in the 2000s. So yes, it happened in the last 20 years.

            • manquer 1250 days ago
              There are still plenty of countries and significant chunk of the conservatative US which treats it like a illness, that's not the point.

              The discussion about 2decades seems to about accepted academic outcome not policy execution, which is always varied.

              FGM or homeopathy or chinese medicine is still a problem in many parts of the world. We don't think validaty of science or anatomy depends on your country.

              • est31 1249 days ago
                Definitely, science shouldn't depend on the country, but the USA isn't the world either, and the person I was replying to equated the USA with the world. At least they should have used the year when ICD-10 came out.
                • manquer 1249 days ago
                  Yes, you are right , there is fairly blurry line on when something becomes accepted .

                  ICD-10 could be one unambiguous way to classify.

          • TeaDrunk 1250 days ago
            1) I wasn't aware couple meant literally in the past 20 years and not the past handful (which to me would be anything within recent memory).

            2) Transgender people do not have the legal protections that people of color do. There have only recently been laws to protect transgender people to be employed, have healthcare, etc. on the federal level- and what protections exist can be easily stripped away due to "moral disagreement" of the employer. You cannot refuse as an employer to give a black woman healthcare because you have a "moral disagreement" with her being black.

      • t0mmyb0y 1250 days ago
        In my opinion it has. A few decades ago was a shift toward jungian therapy. A massive improvement.
    • feralimal 1250 days ago
      > This is a classic "Damoclean sword" conundrum.

      Is it though?

      Its only a conundrum because of the way we have organised data, with NO regard for the people the data comes from. We could have had data collected WITH consent only.

      The privacy boat left the port long ago - personal privacy was intentionally eroded, and this is just one example.

      Personally, on ethical grounds, I could never have designed a system like that, with so little regard for others, externalising private information so that a permanent record is kept. Once private data is exteralised, who knows where it ends up, even if it is in the name of some good cause (eg an improvement in therapy). Plenty of people warned of these sorts of outcomes.

      At this point, if you care about your privacy, you really only have the option of not engaging with the system. Or engaging as little as possible.

      • monkeydreams 1250 days ago
        > Personally, on ethical grounds, I could never have designed a system like that, with so little regard for others, externalising private information so that a permanent record is kept.

        My bread'n'butter is patient systems. I cannot think of a way to say this that is not patronising or condescending on some level. Your suggestion will not work. At all. On any level. If we implemented a system like this people would die. Hospitals and Doctors would be sued to oblivion, and rightfully so, but only if they don't succumb to bankruptcy due to malfeasance and incompetence first.

        Ethically building a patient administration system requires that you collect relevant information, that is patient-centric, and that identifies fully the patient, their needs, their location and their past episodes of care.

        > At this point, if you care about your privacy, you really only have the option of not engaging with the system. Or engaging as little as possible.

        The spectrum between privacy and effectiveness with patient and clinical systems is simple and stark. If you want absolute privacy you will receive care that will be truncated, untailored, unfit and unlinked.

        • feralimal 1250 days ago
          I appreciate your being honest about how the system works, and that part of its function is to aggregate data.

          I don't think the system can work in the ideal way I would like - the system's priority is the system itself, regardless of the wishes of the individual. As you say, doctors would be sued. I would say that suing, etc relates to the culture that has grown up around the system. And perhaps the medical system was always this way - ie system-centric, rather than patient-centric. With the onset of the 'IT age', we get to see that system-centric fruit fully 'ripen' such that everyone's data can be seen by anyone.

          You might say - as I do - that it is for the person who is being treated to be the collector of their information. A different culture would have grown had we had the patient at the center of our considerations.

          I'm sure people have been warning all the way down the line, about the issues over privacy. It is frustrating that at every turn the expediency over the system overrides all other concerns. After, what 100 years(?) we find ourselves where we are no, with the patient having no control (and often no knowledge) of the issues that relate to them, while the system has it all. I would go further and say that this outcome is by design, as those running the system - those who govern us - would prefer that we were ignorant while they are informed. Its pretty dystopian anyway.

          • monkeydreams 1249 days ago
            > After, what 100 years(?) we find ourselves where we are no, with the patient having no control (and often no knowledge) of the issues that relate to them, while the system has it all.

            I'd argue this, but I recognise I am in a privileged position of knowing how the systems work. HIPAA (in the US) and similar legislation in other countries actually puts a lot of power in the hands of patients - if they know how to use it.

            You are never going to be in the situation where the patient controls their data completely (what happens if they are non-responsive, drunk or psychotic and unable to legally consent to an intervention they desperately want). I think we shall move towards access to data, and possibly interpretation of that data, but not ownership. Control of the data will always come with caveats, as the body paying for the treatment will always assert their right to how the data is transmitted to minimise costs.

        • jancsika 1249 days ago
          > If you want absolute privacy you will receive care that will be truncated, untailored, unfit and unlinked.

          Are you sure your expertise in this area is up to date?

          Even with "unlinked": Signal can do discovery without the server storing a social graph. There's nothing stored on a server for a hacker to ransom.

          Rank speculation, but I'd imagine there are current designs even at Apple that protect user's health data, and those designs contradict your claim of a shrug-while-we-work dichotomy between "privacy and effectiveness."

          Edit: clarification, added a barb :)

          • monkeydreams 1249 days ago
            > Are you sure your expertise in this area is up to date?

            It's a constantly changing field, but Health data systems are not the fastest changing field. Change is bound to lower pace layers (governance, usually) and so the capabilities of these systems are ground slowly but incredibly fine.

            > Rank speculation, but I'd imagine there are current designs even at Apple that protect user's health data, and those designs contradict your claim of a shrug-while-we-work dichotomy between "privacy and effectiveness."

            Cool. I always enjoy new ideas for how to do things. If you can solve these issues, you would upend a HUUUUUGE industry overnight and would be richer than Bezos.

        • manquer 1250 days ago
          this is a strawman argument.

          Ppl will likely die because of this leak, I don't think there was any informed decision weighing the risks of both approaches before making the choice.

          Every year I see leak after leak in medical data, I am only an developer not in the industry, but the nature of the leak has always indicated massive incompetentence and poor design or ops, rather than than real need for patience care.

          Storing data in public S3 bucket has nothing to do with patient care, unwilling to invest to upgrade from windows XP has nothing to do with abiltiy to give care. Ransomware attacks because of aging stack has nought to do with privacy or care.

          There is very very little need to aggregate data given the risk of leaks, and very little value to any single patient when his data gets aggregatated. A system not influenced by pharma or software industry would make it incredibly expensive or hard to collect aggregate data, while keeping individual records usuable

          The harsh reality is hospital administration and regulation tends to be skewed with doctors, it is the same with legislators who tend to be lawyers, or professional management tend to be sales than tech. None of these groups understand the nuances of tech always to manage or regulate them better, sometimes they are smart or trust their advisors and get it right, but it hit and miss.

          Data is money today , so industry is not interested in better safety of medical data either, preventing aggregate collection will loose a lot of value for med tech companies.

          • monkeydreams 1249 days ago
            > this is a strawman argument.

            I'm reading this as a header declaration.

            You are arguing a range of items without actually touching on my point - that health data patterns require a link from encounter and observations back to a patient record. I think that you are arguing a number of these points with incomplete information (i.e. that you have little understanding of the pressures which result in the continued existence of Windows XP within the health ecosystem), and on other points you are completely missing the point (storing patient data on the cloud is a whole different argument).

            > Data is money today , so industry is not interested in better safety of medical data either, preventing aggregate collection will loose a lot of value for med tech companies.

            The data has relatively minimal value for the makers of patient record systems. The value of these systems are in the licensing and ancillary/secondary services.

            • manquer 1249 days ago
              I agree my understanding is limited into your industry.

              I don't need to have an understanding, I am just a regular Joe who's data security your industry does not give a thought about and his data leaked constantly[1].

              After so many leaks, I do not see an acknowledgement of systemic issues. I see no discourse on how the industry can step up and improve their security practices. I see no significant update to regulation in response to any of this.

              If your industry cannot move fast enough with the consumer tech industry then you should not be basing your tech stack on a OS like XP in the first place , XP always was going to have limited window of mainline support.

              Core banking is perfectly happy using COBOL and zOS for the last 50 years. [2]

              If you don't believe the architectural choices the industry makes and attitude towards tech has anything to do with the data security problems there is nothing I can say to convince you.

              [1] I am focusing on one thing only security not privacy or anything else, i.e. unintentionally sharing data.

              [2] it is not that fin tech is without its problems either, however in general fin tech has responded to security concerns.

        • Aerroon 1250 days ago
          So, what you're effectively saying is that if you want to have privacy you can't get medical care?
          • monkeydreams 1250 days ago
            No, what I am saying is that if you want complete privacy you can't have effective care.

            Effective care requires knowledge of patient history, co-ordination between providers, etc. Your general practitioner needs to identify you to a downstream specialist using a strong-identifiable source. Your hospital requires knowledge of your allergies, of your heritage, of your past medical history, etc, in order to ensure you receive the best therapies and medicines. This does not even touch of things such as funding models or holistic healthcare plans.

            The best any care provider would be able to do, in lieu of a trustworthy patient data source, is to offer general medicines and stabilisation.

            • temp667 1250 days ago
              I was on the back-end of a large electronic health records implementation. I'm not actually sure better care resulted, and the security was that dystopian type, ridiculous and insecure at the same time (we had to downgrade some systems to connect).

              At least in this mental health practice, you charted on paper / locally to the providers systems. We had a billing team (in old model) that only uploaded key patient info (MRN / DOB / Service date / time / billing code) to a billing system. This was done using billing slips that went to someone trained on it (who could handle all the weird hassles around eligibility etc etc).

              Provider would actually talk to patients etc etc. The notes were pretty focused afterwards. And yes - pretty secure - it was actually hard to just browse around - providers locked up their notes in their office, and their office was locked (we had a three lock rule -> front door with alarm (metal gate), office locked, file drawer locked.

              What people don't tell you is with the electronic health record, they also required that all these required elements be "charted" - on EVERY visit. So in new system pretty soon charts become a pages of boilerplate per visit - copy and paste stuff. It was not useful anymore to do a case history from this chart.

              So we made the admin folks happy, but what a trash experience - the EHR folks are selling bills of goods and the admin folks implementing and the compliance folks mandating endless boilerplate and macro entries to get anything approved are wasting all our time and money.

              I got out, never felt better - the people were great, the ordered from on high decade old java app through a double VPN that worked 50% of the time with no user experience thinking - a nightmare.

              And in this new system, every sysadmin could basically snoop on anyone (all in the name of patient coordination) as could lots of others who just ended up with the extra permissions because the system was so locked down we all basically had to be superusers. To run billing reports you needed access to every record - so they had to give you these ridiculous permission levels. And to avoid QC issues billing staff are reading all the chart notes to make sure all the required boilerplate is in them. Such BS. This system was integrated with a lot of providers, so you could also see everything related to that person everywhere (all the office / admin / billing staff at literally every provider included). While a bit helpful if you had a billing issue (same unit type billed at an unapproved frequency) all the benefits focused on that type stuff (admin ease) and privacy was zero across that backend system.

              • monkeydreams 1250 days ago
                > I was on the back-end of a large electronic health records implementation.

                My organisation has done many EHR/EMR, PAS and EMPI implementations using systems from third party vendors (i.e. I don't have any dog in the which-system-is-best fight). With modern systems (i.e. applications developed during and after the HIPAA act) we have seen significant reductions in error rates relating to drug interactions and dosing.

                > What people don't tell you is with the electronic health record, they also required that all these required elements be "charted" - on EVERY visit. So in new system pretty soon charts become a pages of boilerplate per visit - copy and paste stuff. It was not useful anymore to do a case history from this chart.

                I did not know we were meant to keep this a secret. Yes, it is important that you record every encounter with "boilerplate" code. There are funding impacts (as case complexity rises with these lifestyle and prior history codes). If a patient presents with a cough and blood in the sputum, it is important to know that they were once a smoker. If a patient presents with a broken leg and they have a history of diabetes, their treatment will be considerably more difficult and expensive.

                > And in this new system, every sysadmin could basically snoop on anyone (all in the name of patient coordination) as could lots of others who just ended up with the extra permissions because the system was so locked down we all basically had to be superusers.

                I have worked on these systems as well. I find more recent systems to be far better better at accountability with regards to patient record access tracking. It has been a long evolutionary path, however.

                • temp667 1250 days ago
                  Mental health I think is at least somewhat different. I'm surprised this hasn't been studied at least a little. A fortune in implementation costs (system I was stuck with was 10 years ago now - absolute trash / hell).

                  The patient wants time with their clinician. So in a 20-30 minute visit either the clinician has to be busy charting away (we called them progress notes) or you get actual patient time and more summarized to the point notes. Why can't charts include decision useful info.

                  For example, if a patient has 5 objectives in their plan, why make EVERY 20 minute encounter go over all these objectives yadda yadda - is it unfair to expect the clincian will be working on these issues during their visit. Now every progress note has to have. We discussed patients success and potential tools to help them improve in their ability to control X, including various strategies and evidence tested techniques shown to demonstrate good results in this area. We discussed patients success and potential tools to help them improve in their ability to control Y, including various strategies and evidence tested techniques shown to demonstrate good results in this area.

                  This was govt delivered / managed care BTW - so in reality, the EHR made clear that they gave to craps about patients or outcomes and just wanted to check boxes, so everything was both insanely detailed and offered no decision usefulness.

                  The tell is that most of these systems have been total top down forced (from national level). That's a good good sign there is not much natural desire for them.

                  In other fields you get bottom up adoption of tools - a proof in the pudding point of evidence that folks find value in them (beyond the admins).

                  • monkeydreams 1249 days ago
                    > Mental health I think is at least somewhat different. I'm surprised this hasn't been studied at least a little. A fortune in implementation costs (system I was stuck with was 10 years ago now - absolute trash / hell).

                    Yeah, MH is an odd beast. I think the slowness of health data change is exacerbated by the complete lack of funding to this area (at least in countries with public MH services).

          • viraptor 1250 days ago
            You can't get medical care efficiently and accounting for your specific situation. Sure, you can have a limb set after a mild injury without extra information. But anything long term or needing specific management will get complicated.
            • Aerroon 1250 days ago
              But we had medical care in the past that somehow worked without all of these digital systems? Was that care significantly less effective because of no digital data? It was less efficient, because you had to carry your documents around yourself, but I'm not sure that the care was significantly less effective.

              I'm sure that it makes a difference to some people, but so does the vulnerability of privacy. How many people will simply not see a doctor because they're worried about this?

              • monkeydreams 1250 days ago
                > It was less efficient, because you had to carry your documents around yourself, but I'm not sure that the care was significantly less effective.

                Also your healthcare providers kept their fully-identified records.

                And, yes, it was signficantly less effective with higher error rates, etc.

                > How many people will simply not see a doctor because they're worried about this?

                Very few, I suspect. None that I have ever heard of outside of people with significant anxiety disorders (this is literally true, and not my implying anything).

                • Aerroon 1245 days ago
                  I don't mean that they will never see a doctor. What I mean is that when something is embarrassing they won't see a doctor, particularly when it comes to mental health.
      • adamsea 1250 days ago
        To add on to what you're saying if there isn't there should be legal liability for these software systems in the same way civil engineers have legal liability, from my limited understanding.

        I.E. software engineers can become ... real engineers!

    • jimkleiber 1250 days ago
      I built an app for micro-jounaling emotions in 2012 and while I've felt so grateful to be using it and excited how it could help so many people, I have also felt terrified at what might happen if such deeply personal information leaked. I tried to make it local-only, using an encrypted database and a required password, and yet I still feared that the device could get hacked and it would lead to suicide, murder, overdose, etc., if not war, depending on whose phone it was.

      At what point should we refrain from releasing a tool that may powerfully help people but also powerfully hurt people?

      • ChrisMarshallNY 1249 days ago
        Thanks for doing that.

        I deliberately avoided reading this thread for quite a while, because I could see where it was going. It's pretty depressing how willing (and even enthusiastic) we can be, in dehumanizing other people.

        I have been deliberately vague, in specifics, because even a bit more specific could lead to people figuring out some of the identities of the folks I have known. I have enough respect for these people, and for the extreme damage that can be done, if it leaks, that I'm willing to take shots from the "Give us concrete examples, or you're a liar!" crowd.

        Here's an example of how tools could be misused. One of the things that I've done, over the years, is design a Web-driven, decentralized system for aggregating 12-Step fellowship (drug recovery) meetings. It's pretty much becoming the de facto world standard.

        In some nations (I'm looking at you, Philippines), people can be killed, just for being drug addicts. In other nations (I'm looking at you, Mexico), drug rehabs and recovery gatherings can be targeted by mass-murderers, in efforts to kill just one member.

        It's entirely possible that the tool I wrote could become a "murder menu" for these places, and that is not a thought that I take lightly.

        Nevertheless, those are "might," scenarios, and there's no question at all, that the tool has saved many, many lives.

        I don't think that it's being used in the Philippines, but they are considering using it in Mexico.

        I did my due diligence in the design of the tool. A number of compromises needed to be made, in order to ensure that it would be adopted by its intended user base, but it's pretty hard to abuse. Also, the team that took over after I turned it over, includes a number of security experts, so I leave it in good hands.

        I can't tell you what to do, but, if you feel that you have done all you can, legitimately, to secure it, then you can probably confidently release it, maybe with some published guidance, outlining risks.

        • jimkleiber 1249 days ago
          This may be the first time since I've built that app that I've interacted with someone who may understand the level of fear and anxiety I've felt when thinking about releasing it. Many people have told me, "Oh, don't worry, just release it!"

          I feel grateful that you've not only built the tool and put it out there, but that you took the time to share with me a little of your story and that it sounds like you have also felt the weight of such a decision. I'm sure other people feel it as well, I just rarely, if ever, have heard someone articulate the saving a life vs taking a life aspects of such technology.

          Thank you.

          • ChrisMarshallNY 1249 days ago
            Good luck, Jim.

            You sound like a decent chap. I like “martial art for an open heart.”

            We can use as much of that as possible, in today’s world.

            • jimkleiber 1246 days ago
              Thank you, Chris :-)

              I know I still need it and imagine there is always at least one other person who may as well :-D

              You sound like decent chap as well. I have a lot of friends who have benefited strongly from the 12-step process. I also imagine I might have other friends in some of those nations you mentioned who benefit from the care you put into protecting their privacy.

              Good luck to you as well!

    • jrochkind1 1250 days ago
      > The ability to digitize and aggregate the data, and maybe even subject it to some kinds of AI, might result in massive improvement in therapy.

      We can always say "might" but is there any evidence of this at all? On what theory would you even think it would?

    • dontbenebby 1249 days ago
      >The ability to digitize and aggregate the data, and maybe even subject it to some kinds of AI, might result in massive improvement in therapy.

      But do we need new therapies? CBT, mindfulness, etc - there are a lot of therapies that work VERY WELL. Especially (and this is anecdotal, from friends), combined with things like replacing alcohol with marijuana, reducing or eliminating caffeine, eating well (avoiding sugar / white bread and other carbs), and getting regular exercise.

      But we live in a sick society, where the above are often untenable.

      Therapy? That's 1:1, time intensive, and insurance abhors it if a pill can do the job.

      Marijuana? Illegal, or expensive and over regulated when legal.

      Exercise? Hard to do if you have long hours and a long commute.

      Healthy food? Expensive, sometimes hard to cook. (I looked at an Indian recipe book for vegetarian ideas and many of the things I love, like palak paneer, are very labor intensive).

      But put someone on antidepressants or other pills that are covered by insurance or purchased in generic? That's a simple solution, so it's what's used, even as patients suffer HORRIFIC symptoms going off these meds when they do not work.

      Imagine mustering the courage to ask for help, being given a pill that does not, and makes you have trouble doing the work that gets you insurance.

      And then not to mention the therapists themselves - having to find the right one, and that's if you just don't mesh and don't have a very bad experience.

      I'd argue a lot of what we call "depression" or "anxiety" are actually quite normal responses to a sick system in desperate need of change and people are often "nudged" by the system to do the "wrong" thing then punished for following the path laid out for them.

    • aaron695 1250 days ago
      > The ability to digitize and aggregate the data, and maybe even subject it to some kinds of AI, might result in massive improvement in therapy.

      This 100% is not true.

      We can't properly even see rates of STI increases in communities quickly, so worrying about an AI that would have IQ's at human level, which is decades away, is not relevant.

      This 100% could be done with written notes.

      Cost is the only factor.

      Making a therapist cheaper will save lives.

      I suspect electronic notes saves pennies in the dollar, compared to the other expenses of therapy.

    • dmch-1 1250 days ago
      I saw a couple of comments complaining about making people into data points, and that this is dehumanising. But I do not see this.

      Growth of data based technologies and information surely create risks to privacy, which is another story. However, treating people data as just data is neither new nor dehumanising. Science does that with everything and that is called abstraction. Just make sure that personal data protection measures are there.

    • crb002 1250 days ago
      Not much has changed since Nellie Bly. Several are still locked up with no jury trial - just a rubber stamp by a magistrate to whatever the prosecutor asks for - the modern day equivalent being a cut and paste between Word documents.
      • behringer 1250 days ago
        We're not talking about the justice system here..
        • techbio 1250 days ago
          Nelly Bly was an investigative reporter who was committed to an asylum by a judge, more at linked page. In the US, for decades, jails hold many more mentally ill people than psychiatric facilities do.

          https://en.m.wikipedia.org/wiki/Ten_Days_in_a_Mad-House

          • truantbuick 1250 days ago
            Not sure you meant to imply otherwise, but just to clarify: Bly intentionally got herself committed for an undercover assignment.
    • ergwwrt 1250 days ago
      To answer your points... Some people will commit suicide... So what, somebody knows your condition? Guess what nobody is going to bully you, life moves on. Nobody is going to commit suicide. Some will avoid treatment... I would too if doctors were trying to profit off me. Remember the goal of these institutions is not to cure but to subscribe pills for life to make money as long as possible. Actually, having the courage to say "NO" to prescriptions will probably cure many
    • kordlessagain 1250 days ago
      > That's not hyperbole.

      In the 50 some odd years I've been on this planet, it has been my observation has been most every time someone says something isn't applicable to their argument at the same time they are making the argument, it is.

  • INGELRII 1251 days ago
    This issue can be solved with mandatory insurance and compensation structure. For this sensitive private health information compensation should be at least 5 figures per person, no excuses. A data breach involving 10,000 people could cost 100s of millions.

    Companies would have to take mandatory insurance against massive data leaks. In order to keep insurance fees reasonable, they would have to implement good security. Insurance companies would do audits because they don't want to lose money. They would promote secure data vaults, require hardware authentication devices from their customers in exchange of insuring them.

    Car manufacturers must be prepared to do massive recalls in case there is a fault in the car. Automotive recall insurance is a big business. Same thing. Regulatory structures protecting consumers.

    • TedDoesntTalk 1250 days ago
      No insurance company is going to take that deal because infosec audits are not perfect and they can not audit every possible software release.

      So your plan means governments will have to provide this insurance (there is precendent for governments providing insurance; eg Medicare in the US)

      That means taxpayers will fund the payouts.

      This is not a good solution. I don’t have an alternative, but I dont like this one.

      • AnthonyMouse 1250 days ago
        > No insurance company is going to take that deal because infosec audits are not perfect and they can not audit every possible software release.

        That doesn't cause them to be unwilling to write a policy. What it does is cause the premiums to be high.

        But the insurance companies will still want to mitigate the risk as much as possible, so they'll still dump compliance costs on the policy holders to try to mitigate the risk. And since the insurance is mandatory, they have no real incentive to minimize those costs or ensure that they achieve a worthwhile cost/benefit ratio. So mental health providers will have two new large operating costs imposed on them.

        And the breaches will still happen, because most of the compliance requirements will be in the nature of having to install antivirus on your Linux servers and mandating passwords to be changed often enough that everybody writes them on a sticky note on the side of their monitor and the password reset mechanism becomes "easy to use" with the obvious implications of that.

        This style of solution is common in healthcare in the US and is one of the reasons it's so expensive.

        • d4mi3n 1250 days ago
          > And the breaches will still happen, because most of the compliance requirements will be in the nature of having to install antivirus on your Linux servers and mandating passwords to be changed often enough that everybody writes them on a sticky note on the side of their monitor and the password reset mechanism becomes "easy to use" with the obvious implications of that.

          I'll note that the whole password on a sticky note example is not ideal, but doesn't weaken such systems against what is likely the biggest risk they face: network systems being compromised remotely.

          This is of course not ideal, but a far cry better than not having such policies in place.

          • AnthonyMouse 1250 days ago
            > I'll note that the whole password on a sticky note example is not ideal, but doesn't weaken such systems against what is likely the biggest risk they face: network systems being compromised remotely.

            Until somebody posts a selfie with the sticky note in the background.

            • throwaway0a5e 1250 days ago
              Still way less of an issue than someone feeding last month's public data dump into their credential stuffing script.
      • hrktb 1250 days ago
        Replace privacy leak with car accident. No insurance company has perfect info on car safety, driver behavior or road maintenance status. Yet as a mandatory system it works well enough.

        Insurance companies have the tools to deal with lack of information.

        • eru 1250 days ago
          Alas, infosec failures often come in much bigger lumps than car accidents.
        • robocat 1250 days ago
          Car fatalities in Finland: approximately 250 per year. That gives an idea of the orders of magnitude difference that can occur with security breaches. There have been breaches where every person in a whole country has been affected.

          Most importantly car accidents have a known variance and are statistically predictable.

          There are insurers that will take on one-off unpredictable risks (reinsurance), but equating cybersecurity to car insurance makes little sense.

        • SilasX 1250 days ago
          Insurance companies have relatively low caps on what they have to pay out per accident though. The figures here would be much higher.
          • hrktb 1250 days ago
            It’s a matter of balancing costs and income.

            Insurance companies can deal with skyscrapers or airline crash insurances, I don’t think privacy leaks should be harder to manage than actual death.

            • SilasX 1250 days ago
              >It’s a matter of balancing costs and income.

              I know, I just thought car accidents were a bad way to make the point.

              Data breaches vs skyscrapers/airplanes are harder to distinguish, so yeah those are more comparable.

              Edit: that is, data breaches under the proposed system of high per-user liability are comparable.

      • INGELRII 1250 days ago
        Insurance business is risk management in imperfect world. Quantifying the risk and pricing it is their business.
        • beefield 1250 days ago
          Insurance companies like risks that are diversified over their customer base, with regular enough occurrence in the customer population that the cost of payments over time is relatively stable. Insurance companies absolutely abhor risks that are affecting large portion of their customer base at the same time but only rarely. Re-insurers offer some help, you can talk about some special investment vehicles where insurance companies can offload those kind of risks off their books, but in the whole, I think it is quite safe to assume that insurnace market for those kind of risks would be seriously broken.
          • tupputuppu 1250 days ago
            Your opinion is invalidated by the fact that cyber breach insurance is a thing that insurance companies sell already today.
            • beefield 1250 days ago
              " For this sensitive private health information compensation should be at least 5 figures per person, no excuses."

              I still have my doubts this kind of insurance is for sale with non-prohibitive prices.

      • jcims 1250 days ago
        Cybersecurity insurance is presently about a 5 billion dollar market globally. There are quite a few underwriters getting into the game and vendors stepping all over each other trying to figure out how to get a piece of that risk reduction work.

        Personally I think it's adequate just to fine companies for breaches and let them figure out if they want to insure or do better or both.

        • eru 1250 days ago
          > Personally I think it's adequate just to fine companies for breaches and let them figure out if they want to insure or do better or both.

          They'd just need to post a bond or similar, if they don't want to insure.

          (Any insurance company would need to do something similar.)

        • robocat 1250 days ago
          GP poster was suggesting the victims (patients in this case) get compensation, not the company.

          Currently cybersecurity insurance pays the company, so actually the company itself has less incentive to fix real security issues (albeit with more incentive to resolve the specific security-audit needs of the policy.). And expensive policies reduce the pot of money available to fix problems.

          Government policies that make directors criminally liable, and ways to spread that liability for criminally negligent security faults, would probably have a better effect than monetary fines.

          • jcims 1250 days ago
            My read was that the insurance was to ensure that the company would have funds to pay damages.
      • skybrian 1250 days ago
        I don't think it's a perfect solution, but it might help on the margin? We don't need penalties to be so high that they drive firms into bankruptcy and make insurance unaffordable.

        A lower amount of financial risk would be enough to provide incentives for companies to buy insurance and improve their security in whatever way makes sense.

      • vsareto 1250 days ago
        >and they can not audit every possible software release.

        Do less frequent, more meaningful releases. Grow and invest in security talent. Move slow and polish things.

        Plus infosec is definitely not taking everyone in with a proven interest. Even with the popular certs, there's still barriers to entry for no good reason.

      • WhompingWindows 1250 days ago
        Regulations could encourage/entice/require big insurance companies to take on infosec contracts.
    • candiodari 1250 days ago
      Or you could solve this issue by not having this data in the first place. This data is so private and the violation of trust by the system so complete that the trust of most of these people will never be repaired.

      You don't need secure data vaults, you need LESS DATA. And anything you can't deal with seeing published, think VERY long and hard if it is absolutely necessary to have it. Even when it is necessary, is there any reason at all for not having it on a unpowered hard drive in a bank vault that requires approval from at least 2 directors to temporarily connect it to a machine that has never been connected to the internet.

      Most security breaches (including ransomware events) are insider attacks. Secure data vaults that only allow "authorized persons" access to patient data are therefore never secure.

      Secure data vaults are

      • jcims 1250 days ago
        It should be an option to ask hospitals to purge your data or have some kind of intentional and deliberate opt in/opt out conversation at some point in care.

        This is a double-edged sword though. Case history is incredibly valuable for physicians and personally I would likely opt for them to retain it if I'm going through any kind of chronic illness. My wife went through a very severe illness that lasted over two years. We saw numerous hospitals and doctors over that span and the ability to have the hospitals exchange her data completely and accurately was instrumental in ensuring timely and accurate review of her case. Sure I could have done that with some kind of data checkout/checkin mechanism but I wasn't in the best state of mind to be able to implement all of the resiliency mechanisms required to take appropriate care of that information.

        • Hamuko 1250 days ago
          >It should be an option to ask hospitals to purge your data or have some kind of intentional and deliberate opt in/opt out conversation at some point in care.

          What if you suspect that there's been medical malpractice done on you and you've purged your data? Or there's some sort of an investigation where the authorities need to get in contact with a certain doctor's patients or something?

          • jcims 1250 days ago
            Perfectly valid questions that need to be part of the calculation and why I'm interested in this topic.

            I don't think my wife experienced anything that would reach the bar of malpractice, but mistakes and poor operational practices definitely impacted her care. Because the hospitals retain this data I was collect all of the medical records from her experience and am currently seeking a subject matter expert to review them (very difficult to find it turns out). If I had requested that this data be purged without having a complete copy then obviously the information is not going to contribute to any follow-up investigation.

            There are very real and concerning issues with ongoing custody of this type of data by any organization, let alone any of the access that is provided to it through relationships that we as consumers are unaware of. But I don't think the answer is wholesale elimination of custody, there's a lot of pros and cons that everyone should be in a position to understand and decide for themselves.

      • syshum 1250 days ago
        It seems like with environmental policy where people forgot about Reduce and Reuse/Repair as vital parts of the of environmental protection triangle and instead only focus on Recycle

        Data Protection has fallen into the same trap, where no one even questions if data should be collected, and then if it is collected for how long it should be retained.

        It seems the default position is Collect all info, and store it forever, encryption can protect it for all time....

      • glaucon 1250 days ago
        |Most security breaches (including ransomware events) are insider attacks

        I'm interested in this suggestion, do you have any data ?

        The breaches that I recall most vividly (and I appreciate that confirmation bias is at play here) involve outsiders accessing cloud based data stores (almost always S3 because of market dominance) the access rights of which have been inadvertently set up to allow public access.

        I can recall a case like the above which was then exploited by a disgruntled insider but mostly, it seems to me, it's outsiders.

        Would be interested to see some numbers although given a lot of ransom events are, I assume, never made public it's probably difficult to get anything definitive ?

      • Hamuko 1250 days ago
        I don't see how any patient data can exists in this world under these conditions.
        • candiodari 1250 days ago
          On a notebook (the paper kind), locked, in a specific doctor's office is not a problem at all.
          • RobertDeNiro 1250 days ago
            This shows a very poor understanding of how doctors work. On difficult cases doctors often need to consult with others, sharing information about the case. Furthermore, in pysch. multiple followups are required. If this is all solely done on paper the logistics become more complex and error prone.
            • Aerroon 1250 days ago
              The alternative is that people who have any kind of sensitive issue (which is most mental health issues) won't see a mental health professional at all. There are many people in my social circle that I cannot imagine seeing a mental health professional in general. You add on the risk of the actual discussion leaking and it would be impossible to even convince them to do so.

              That's the kind of damage leaks like this do.

            • tupputuppu 1250 days ago
              Psychologists aren't doctors in Finland where the story is from.
          • fogihujy 1250 days ago
            A notebook might be just a little to old-school to work in the modern world, but there's definitely reason to consider having such sensitive data completely separated from the Internet.
          • Hamuko 1250 days ago
            How do patient referrals work?
            • aspenmayer 1250 days ago
              Same way they worked before computers? Fax machines still exist.
              • Sebb767 1250 days ago
                > Fax machines still exist

                Sure, send the patient data over an unencrypted phone line, probably using a never-updated smart scanner to an internet-connected IoT-printer. Sounds like a plan!

                • aspenmayer 1250 days ago
                  You could make the same argument about the mail system.
                  • Sebb767 1250 days ago
                    And I would! While mail is not as easy to monitor at scale or distance, the files of single patients are even less protected; catching a letter is rather trivial if one really wants to.
              • Hamuko 1250 days ago
                Well now the patient data is not really locked away in a specific office.
                • aspenmayer 1250 days ago
                  How about physical mailing?
              • ent 1250 days ago
                In what part of the world? I haven't seen one in Finland since maybe the early 2000's.
            • gruez 1250 days ago
              How did they work a few decades ago?
        • lloda 1250 days ago
          The patient can keep the data and have the doctor sign it.
          • Hamuko 1250 days ago
            That's not possible. Medical records have to be kept for 12 years (IIRC).
            • tupputuppu 1250 days ago
              The story is from Finland. We don't have such requirements, especially relating to psychotherapy session transcripts - these are done by psychologists who aren't even doctors in Finland, all this data is outside of our healthcare data systems.
              • Hamuko 1250 days ago
                >Psykoterapeutin on tehtävä merkintä potilaan jokaisesta psykoterapiakäynnistä viivytyksettä ja ajantasaisesti. Käynniltä poisjäänti tai käynnin peruuttaminen, joko potilaan tai psykoterapeutin aloitteesta, on kirjattava. Hoidon alussa merkintöjen pitää olla perusteellisempia, ja potilaan hoitosuunnitelma pitää kirjata selkeästi.

                >Psykoterapialle on tyypillistä, että psykoterapeutti tekee psykoterapiakäynnin aikana muistiinpanoja. Psykoterapeutin tulee viivytyksettä psykoterapiakäynnin jälkeen laatia muistiinpanojen keskeisistä kohdista varsinaiset potilasasiakirjamerkinnät.

            • candiodari 1250 days ago
              Why is psychological data considered a medical record? Only the medication used, and only as long as it is relevant, should be medical.
    • kebman 1250 days ago
      Wouldn't it be better to simply invest that money in better security to begin with? An insurance scheme looks to me like a great incentive to hack insured servers, in order to cause insurance payouts on top of blackmail.

      Anyway, just want to say that there's a special place in Hell reserved for people who do that kind of thing, and to minors, even...

      • INGELRII 1250 days ago
        >Wouldn't it be better to simply invest that money in better security to begin with

        ou are arguing for behavior without providing any suggestions on how to achieve it. "Wouldn't it be better to simply do the right thing." is not a solution.

        What I propose is a set of policies and incentives that archive what you want.

        • foolmeonce 1250 days ago
          I don't think a giant new source of income for insurance companies and slip and fall con artists will fix anything..

          Each individual company might try to motivate slightly better behavior in their own clients but overall they want their administrative percentage of a growth industry so they drive up absurd costs like the US health care industry.

          • eru 1250 days ago
            You make an interesting point that with enough bad regulation, you can destroy any good and sensible idea.
            • foolmeonce 1250 days ago
              Adding high value to stolen personal data is a sufficient bad regulation alone.

              The goal is to remove value so there's no expectations of ransom and therefore no thefts. If a company has to pay X for the loss off data, they would be fools not to pay x/100 to someone who breaks in, steals the data and promises not to report it.

              • eru 1249 days ago
                We have similar situation and incentives for eg poisoning a few jars in a food factory. (And I have read of some rare cases where that was actually a problem.)

                What keeps that from being too much of a concern? What similar factors apply in the data breach ransom scenario? What's different?

                (Just for clarification: if a bad actor poisons a few jars, the producer in question is probably not legally responsible; but they still face a significant cost in lower sales. So blackmail is just as possible.)

                • foolmeonce 1249 days ago
                  That's the example I was thinking of, I'm quite happy with government concerning itself with regulations on options, etc, working closely with the food industry, and perhaps I'm alive only since no free marketeer was around to introduce an unconditional $10k fine per malicious tampering as a way to improve security during the painkiller scandals.

                  Naturally, if free marketeers had created a market for food tampering that encouraged industry collusion with criminals instead of law enforcement, they would tell us it was an inevitable development and they are getting us the best outcome of many bad new realities.

                  • eru 1246 days ago
                    Your strawman seems a bit stupid. Real life companies are more long term greedy and ingenious. (Even if only because competition forces them to.) So even if there's an incentive to cooperate with a blackmail attempt that's already happening, there's also a strong incentive to get a reputation that prevents further blackmailing.

                    If you have some time, listen to this podcast episode https://www.econtalk.org/anja-shortland-on-kidnap/

                    > Anja Shortland of King's College London talks about her book Kidnap with EconTalk host Russ Roberts. Kidnapping is relatively common in parts of the world where government authority is weak. Shortland explores this strange, frightening, but surprisingly orderly world. She shows how the interaction between kidnappers, victims, and insurance companies creates a somewhat predictable set of prices for ransom and creates a relatively high chance of the safe return of those who are kidnapped.

                    The broad incentives in kidnapping cases are comparable to what we discussed. As far as I can tell the market for kidnapping insurance doesn't have any special regulation, so perhaps a good proxy for how a free market might operate.

                    One of the main takeaways for me was that when eg an oil or mining concern buys kidnapping insurance for their employees, the insurance company strictly insists that employees not be told that there is insurance.

                    • foolmeonce 1245 days ago
                      Here you seem to understand the basis for inference:

                      > the insurance company strictly insists that employees not be told that there is insurance.

                      The stated inference:

                      >> Each individual company might try to motivate slightly better behavior in their own clients but overall they want their administrative percentage of a growth industry so they drive up absurd costs like the US health care industry

                      The background concept that applies irregardless of whether a parasite is "criminal" or standard practice (of course every parasite can claim something symbiotic, maybe kidnapping is just freelance private security testing with post pricing):

                      https://en.wikipedia.org/wiki/Parasite_load

                      The insurance parasite/symbiote load as percentage of GDP, compare the 1980s to now:

                      https://data.oecd.org/insurance/insurance-spending.htm

                      The percentage of GDP lost in ransom? 0%? Terrorist ransom was also popular in the 1980s but government interfered directly, preventing most private payments and that response was primarily with force.

                      So, would a government demanding €10k for every kidnap of your employees they hear of fix a problem?

                      No, it would make kidnapping more attractive. It would threaten to involve a larger parasite (clearly this is too late in the case of kidnapping in this century!) And you would have a permanent problem with a powerful parasitic market deriving more profit than the primary market of criminals.

                      Luckily, for food conglomerates their stock price is uninsurable.

                      Unluckily for humans, government hasn't stepped in to prevent a market and much more profitable secondary markets for kidnapping in this decade.

                      Unluckily for private data most governments haven't come down on the use of laundered stolen private data (i.e. outlawing the sloppy US credit market, any unique pricing of insurance to a group, etc.) Luckily, they have not gone so incompetent as to add an incentive that makes all private data valuable.

                      • eru 1242 days ago
                        Sorry, I found your comment hard to follow. Could you please explain in more detail?

                        Apropos government and ransom payments: in some countries, like Switzerland, _paying_ ransom is generally illegal. That's meant to make blackmailing Swiss people and companies less attractive. Not many countries follow the Swiss lead here, though.

                        > Luckily, for food conglomerates their stock price is uninsurable.

                        What do you mean? Falling stock prices are one of the easiest thing to insure against. Just buy some puts. https://en.wikipedia.org/wiki/Put_option

                        > Unluckily for humans, government hasn't stepped in to prevent a market and much more profitable secondary markets for kidnapping in this decade.

                        Sorry, which governments and which markets are you talking about? Especially which secondary market? (Do you mean the insurance market? If yes, that's probably better described as a derivatives market.

                        A secondary market is a rather different beast. See eg https://en.wikipedia.org/wiki/Secondary_market

                        In the case of kidnapping, a secondary market would be one where you'd sell on kidnapped people. Not one where you make insurance 'bets'.)

        • kebman 1250 days ago
          > ou are arguing for behavior without providing any suggestions on how to achieve it. (sic.)

          Yes, I did. I provided you with this solution: "simply invest that money in better security to begin with"

          > "Wouldn't it be better to simply do the right thing." is not a solution.

          I never said that. But what I did say is indeed a solution.

          > What I propose is a set of policies and incentives that archive what you want.

          Well, it certainly makes incentives, but probably not the ones you had in mind. For instance it incentivizes middlemen to scrape off valuable resources that could have been used to secure the actual data. At best this lowers the profit margin left over for the hospital to improve the security, but it's way worse than that. Instead the middleman actually incentivizes hackers to crack into the very system the middleman "insures," exactly because huge insurance payouts are involved.

          Perhaps the hackers could fake a mental disorder and get committed at the hospital, which would make it far easier to get insight into how the data security system works, and then plant a backdoor or leak that way. This means the hacker would both get money from blackmail and money from insurance payouts (win-win for him), making the incentives from the insurance scam absurdly bad. But perhaps that was the goal all along?

          Meanwhile the owner is already disincentivized from securing the system further, because he can claim that he already did enough to secure it, while what he actually means is that he insured it... Whatever he paid for, was certainly not free! The only one incentivized to look into the matter, is the insurance company itself, because they're the ones who stand to lose the most money if the system fails. And even they don't want to waste money on a matter they might not even understand themselves. Meanwile their biggest incentive isn't to secure the data, but to not pay money to the patients. And perhaps the easiest way to avoid that, is to hire a PR consultant instead of fixing the data system.

          Certainly the least of their worries are the patients, who are the real losers here, from being trapped in a game of exploitation for profit, and who quite possibly have to pay a much higher fee for the services of said institution because of it. Luckily, Finland is a welfare state, so that extra cost probably won't be billed individual patients (depending on how this privately owned hospital operates), but instead it will most likely be forwarded to the taxpayers, which – while spreading the cost on more hands – is still extremely bad.

          Overall, introducing an insurance scheme only adds another problem, without fixing the initial one, because how would you rate the probability of the system failing? That's what sets the insurance fee, after all. Thus, for the insurance companys part, it's far better to overbill, which would just result in increasing cost, without much benefit to anyone.

          • rebuilder 1250 days ago
            To what standard should security be increased? Should we introduce legislation requiring companies to spend some percentage of their turnover on data security? Or should we require compliance with an ISO standard? Or just put companies on the hook for all breach-related costs?

            As you can imagine, for the legislator, this is quite a headache. The insurance idea is appealing because it lets the market price the risk, and introduces a mechanism that can adapt to changing conditions. What mechanism do you propose to induce companies to fix their security?

            • kebman 1250 days ago
              > Should we introduce legislation requiring companies to spend some percentage of their turnover on data security?

              Does that seem like a good idea to you?

              > Or should we require compliance with an ISO standard? Or just put companies on the hook for all breach-related costs?

              Companies are already doing a combination of the two.

              > As you can imagine, for the legislator, this is quite a headache.

              Why? Legislators don't need to get involved at all, outside making sure that justice is served to the criminals, and that injured parties are duly compensated.

              > The insurance idea is appealing because it lets the market price the risk, and introduces a mechanism that can adapt to changing conditions.

              Sure, if the advantage of it defeats the severe problems already stated, and then only if it costs less than to simply invest in better security (or in the least that it doesn't lower the margin enough to hamper such improvements).

              > To what standard should security be increased? (...) What mechanism do you propose to induce companies to fix their security?

              That's up to the company. None of them wish the bad reputation of causing their own patients harm, immaterial or otherwise. Even so, most countries also have data security laws in place. For instance, where I'm from, patient data is regulated to avoid data loss that injures patients, for example by requiring certain forms of encryption, and (strictly) limiting who is allowed to handle certain data. On top of that are personal privacy laws, and patient safety laws, also particulary pertaining to patient data. Failure to follow these rules incurrs fines or at worst jail, especially if it's due to lacking security, too many open attack vectors, public or easy access to areas that should otherwise have been locked, etc.

      • adkadskhj 1250 days ago
        Better? Probably, but everything in life is about incentives. If they have no incentive to protect the data to begin with then the "best" thing for them to do is invest most of the money.
    • OpticalWindows 1250 days ago
      I think we need to make it at minimum 6 figures per person for adequate protection. Once information is out there is no taking it back. Banks, jobs will use all information against you. Electronic survalence is just another form of "Public HR"

      sure someone could intentionally post shit online to fuck with these systems but the creators have no remorse for such "people" as they are "degenrate" to try to destroy such "high minded" systems.

      • baobabKoodaa 1250 days ago
        If this leak would have cost "6 figures" per person, as you advocate, that would total somewhere around 4 billion euros. If the insurance company has to pay out billions of euros for a single leak, it's going to have to charge pretty hefty premiums for their client. In order to stay profitable, the client has to raise prices for their mental health services. If the end user was previously paying 100 euros to talk to someone about their mental health issues, maybe now they would have to pay 100 euros to talk + 200 euros to cover the insurance premium. Doesn't sound too good, does it?

        Now let's imagine what the insurance company does when it's about to get hit for 4 billion euros. Instead of paying out, it's going to hire an army of lawyers who are going to make a convincing argument that, actually, this was not a data leak at all, this was [something else not covered by the insurance agreement]. We've already seen this with all the "cybersecurity insurance" products, which are basically scams.

        • daniel-cussen 1250 days ago
          Many liability risks are not passed onto customers. Banks, for instance, if they used your logic, would charge you extra for their own incompetence if they were unusually frequent victims of fraud. What happens instead is these industries filter for competence, as table stakes for participating in them.
          • baobabKoodaa 1250 days ago
            > Many liability risks are not passed onto customers. Banks, for instance, if they used your logic, would charge you extra for their own incompetence if they were unusually frequent victims of fraud. What happens instead is these industries filter for competence, as table stakes for participating in them.

            Funny that you would choose banking as an example. Banks are in fact very frequently victims of fraud. Despite this, banks are (generally) profitable. Why? Because the cost of fraud is passed on to clients of banks (typically businesses), who pass on the cost to their customers.

            I mean sure, a bank that is "unusually frequent" victim of fraud will be unable to stay in operation, but a bank that is suffering the "average amount of fraud" will stay in operation just fine and pass those costs onto their clients.

            In summary, liability risks _are_ passed onto customers, and you are wrong when you claim otherwise.

        • OpticalWindows 1250 days ago
          Yes, good. Change your systems or get rid of it. Make it uninsurable and replace it with something of actual value.
        • erdos4d 1250 days ago
          Why should a private insurance company be allowed to skim a profit off this? The government should be on the hook directly, with careers ended when the taxpayer has to compensate these people for their injury.
          • michaelt 1250 days ago
            If you want fire insurance for a factory, the insurers will inspect what you're doing, the safety precautions you have in place, your testing regimes and so on - and charge you more (or refuse to insure you at all) if they don't like what they see.

            And as there are multiple insurers you get a competitive market - meaning the insurers who are best at spotting real problems prosper, while the insurers who miss problems or worry about non-problems are less profitable.

            And if a company can't get insurance at all it's not because one guy was being a hardass - they've had a bunch of chances to convince different insurers, all of whom have refused, rather than blame for them going out of business falling on some government agency.

            This is appealing to people who love free markets and small government, as there are multiple competing insurers, and all the inspections, monitoring and even the payouts happen at no cost to the government.

          • eru 1250 days ago
            Same reason we have private insurance companies in general.

            See also https://en.wikipedia.org/wiki/Reinsurance

      • nabla9 1250 days ago
        > Banks, jobs will use all information against you

        In the EU and Finland there are laws regulating what private data banks or companies can use or collect.

        For example, companies are forbidden from googling job applicant without their permission or looking at their social media. They also can't by data from data collectors like they do in the US.

        • OpticalWindows 1250 days ago
          again you're making the mistake that nobody would even try to break these laws as these are very hard to enforce.

          they probably have loopholes the size of trucks where they could hire outside sources to do such things but hide their sources.

          • nabla9 1250 days ago
            In the US company can buy your information from data brokers. It contains your social networks, opinions etc. In EU doing that would be huge risk and it's not generally done.

            Just because there are loopholes and regulations can be violated does not make regulation pointless. It directs behaviour and what is considered acceptable.

            • OpticalWindows 1250 days ago
              I think there are two ways to manage these types of issues.

              1. Bring it fully legal and have a large impact on how it is done in cooperation with government. It could be beneficial to allow government insight so that it can prepare the general public about what is going on or how society might reflect on it. In general I believe we should be aware of all of the things this data can do. If during full disclosure people want this data regulated so be it.

              2. Criminalize it (hard mode). It looks like with GDPR it will be criminalized and it will rely on companies using good faith on acquiring data like this. It will be regularly impossible to defeat all criminal actions but there will be no question who has the athority on such measures.

              With regards to both methods i see huge problems in the public understanding who is using and how the information is used. So it seems for now there is a few options left. One of which is to restrict knowledge and keep good people in power with the opportunity to use this data. Even with that we fail daily.

              everything is a struggle but perhaps this issue might shape how humans interact with eachother in the future the most.

          • fogihujy 1250 days ago
            That's the point with GDPR; you can't just start using personal data unless the person has given explicit permission for that data being used for that specific purpose. That applies to data from outside sources as well.
            • OpticalWindows 1250 days ago
              Again you're not going to catch everyone or even a large fraction of people who do it.
        • TedDoesntTalk 1250 days ago
          Do those laws apply if you sign a consent waiver? Like terms of service: agree to X or we won’t give you service.
          • nabla9 1250 days ago
            EU also has regulations to what rights people can sign away.

            Data collection must have a reason and the data collected be relevant to achieve the task they are doing. Collect everything for no whatever reason is not allowed. https://europa.eu/youreurope/citizens/consumers/internet-tel...

            • chopin 1250 days ago
              This is unfortunately not true for health data. There is an exemption for those that those can be collected for research purposes if a member entity legalize that. That is the case in Germany for people who are not privately insured. Their health data is centrally collected for research purposes.
          • PeterisP 1250 days ago
            Yes, they can't be signed away. Nuances matter of course, but regarding data privacy rights the general situation is that if you sign some contract with a clause 'agree to X or we won’t give you service' then that clause is simply invalid as it conflicts with the law and is not binding. If a company would use that data, then they can be fined for using that data without consent since that is not valid (freely given) consent.
      • throwaway894345 1250 days ago
        I don't think it would be feasible to start at 6 figures--I think we would have to start lower and raise over time. If you start at 6 figures, a single breach can land a company well into the billions, and insurance premiums would be way too high for corporations to stay in business. I know there are a lot of "well good, fuck the corporations" sentiments out there, but these are corporations which can be economically viable and securely protect consumer data if they are given some time to improve their security. We absolutely should walk the price up over time, but let's give people some time to develop and implement a security competency within their organization (not to mention growing a security auditing competency sufficient to handle the scale of all businesses) before imposing ruinous insurance premiums.
        • OpticalWindows 1250 days ago
          Sure but you could consider the cost to the actual individual in the price of depressed wages, deteriorated personal relationships ect. They wont get a penny of it unless outlined by law.
          • throwaway894345 1249 days ago
            Of course. My point was that we must also consider feasibility--we should absolutely get to a state in which corporations should bear the full cost for their security decisions; however, we probably won't be able to get there overnight.
      • seibelj 1250 days ago
        It should be 7 figures. How can we put a price on knowing how often you go to the doctor?
        • Hamuko 1250 days ago
          You're not going to get seven figure payouts in Finland at any point. This isn't America.
        • baobabKoodaa 1250 days ago
          Sure, and while we're at it, why don't we make it a gazillion euros. After all, you can't put a price on privacy.
          • contravariant 1250 days ago
            Actually it should be free, after all you can't put a price on privacy.
          • fogihujy 1250 days ago
            I suspect this is going to end up as one of the most expensive GDPR fines ever (edit: as a max-fine case, not neccesarily in sheer numbers). Furthermore, many individuals have had extremely sensitive data leaked publicly, and they could sue individually for damages.

            In other words: It could end up being insanely expensive.

            • Hamuko 1250 days ago
              >I suspect this is going to end up as one of the most expensive GDPR fines ever.

              I suspect that this isn't. Vastaamo Oy has about 14 million euros in annual revenue.

              >they could sue individually for damages.

              I'm guessing you're American if you think that it's gonna result in "insanely expensive" damage payouts.

              • fogihujy 1250 days ago
                Jag äger en segelbåt. ;)

                Yes, and the maximum fine is 20M€. It'll probably be quite enough to take them down. The individual payouts of any lawsuits would probably end up as five-figure numbers, so if the hacker is telling the truth about then we'd end up with at least 400M€, which in my opinion is quite insane by Finnish standards. The number of victims here is quite insane after all.

        • OpticalWindows 1250 days ago
          Make it 8 so you can knock it over and have it be infinity
    • newcomputer 1250 days ago
      Nah, the solution to people getting hacked is not to punish the people who got hacked. Nice try though.
    • zepto 1250 days ago
      Bye bye startups.
      • ptaipale 1247 days ago
        You get downvotes, but I do think you are right: at least in health industry, this event is a perfect stickhorse to push startups out of business i Finland.

        The current left-wing government has had that on the agenda, and they now have lots of fuel for it. They will also attack the "pörriäinen" class (Mehiläinen Oyj and similar larger health care providers) but those will withstand the storm; the small ones will be wiped out - Vastaamo for sure, but possibly also others.

    • vmception 1250 days ago
      > This issue can be solved with mandatory insurance and compensation structure. For this sensitive private health information compensation should be at least 5 figures per person, no excuses. A data breach involving 10,000 people could cost 100s of millions.

      Cheaper to not worry about that and just pay the hackers occasionally then.

      In market based economies, the state is not serious about fines and convictions of corporations because the state doesn't want to be responsible for making monopolies of the remaining companies in the country.

      You can read more about this in the book "The Chickenshit Club"

  • SebaSeba 1251 days ago
    Some current background info: The breach and the extortion emails are at the moment on the front page of all major Finnish news publications. The Finnish government main ministers are discussing on how to handle the potential crisis, since there are possibly 40 000 patients' records leaked and some of the victims are already in a very vulnerable state and might be feeling even more desperate if their traumas will be publicly shared online. It is also known that there are minors among the victims. https://yle.fi/uutiset/osasto/news/psychotherapy_centre_reve...
  • chaps 1251 days ago
    Heh, years ago I wanted to see if some mental health info of mine was accessible over the internet of a major university. Nothing fancy, just did a port scan of their IP range. I found that they had dozens of their psychology department's printers accessible over the internet.

    So, I contacted their office, telling them that PII was likely accessible through these printers (through exploits), and asked that they look into why so many internal machines were accessible over the internet, and to at least remove the printers from the internet.

    They responded by telling me that there were no internet-accesible printers and that their scans would have detected something like that.. and then asked that I send them any PII. I didn't, but... it truly felt like they were trying to set me up for throwing the blame my way.

    It's really bad out there.

    • qz2 1250 days ago
      Similar thing with my doctors in the UK . I found their online prescription renewal system allowed me to access other people’s prescriptions. I warned them about this and they threatened to report me to the police. I found this out because I couldn’t click the link in my mail client on my phone at the time so I typed the URL in incorrectly on my desktop PC.

      So I moved doctors and reported them to the ICO. Never heard anything back but their web site disappeared for a month after a couple of weeks. I’d like to think they were fined but I don’t think that actually happened.

      This was some piece of shit they had paid a local web design company, the lowest bidder, to put together. It was PHP, hosted in the USA on a shared server and didn’t even have TLS enabled.

      • glaucon 1250 days ago
        You certainly seem to have had reasons to be concerned but suggesting that a piece of software is inherently vulnerable because it's written in PHP has no basis in fact.
        • qz2 1250 days ago
          It was scene setting. While you can do it, there’s a lot of terrible terrible nasty hellish PHP out there. The whole thing is a foot gun.

          I spent 5 years fixing various messes written in it for people as a contractor in the mid 00’s.

    • corobo 1250 days ago
      I sometimes get these messages from people claiming my systems are open, but they're just new to port scanning "hurr hurr your port is open big bounty pls"

      Make sure to display your knowledge when doing this, and honestly it couldn't hurt to have some evidence.

      • notRobot 1250 days ago
        > honestly it couldn't hurt to have some evidence.

        Yes it could. Often the well-meaning people who find and report vulnerabilities are the ones who get reported to the authorities.

        • giancarlostoro 1250 days ago
          I often wonder about this, does it help if you report a vulnerability as an LLC instead of as an individual?
        • corobo 1250 days ago
          Don't report anything at all if you're concerned about that.
          • chaps 1250 days ago
            So... just give up?

            This mentality really bothers me -- your "don't bother me with your trifling banalities" snooty attitude is what makes it impossible for people like me to feel safe in reporting major leaks of health information. If you don't want to deal with it, find a new job.

            • corobo 1249 days ago
              If you think the other end is going to blame you for the data leak.. yeah? What other options are there?

              You could report it anonymously but I'd have thought a HN user would come up with that option by themselves. Just in case though, you could report it anonymously.

              • chaps 1248 days ago
                Blame for a leak isn't the problem if a leak never happened, since the goal is to _prevent_ a leak through disclosure. Your snark makes it clear that you have little to no interest in trying to see the issue from the side of the person disclosing the issue, who at the end of the day is just trying to prevent lives from being ruined through simple negligence. Yes, people obsessed with bug bounties is a thing, but in contrast to the risk of ignoring a legitimate disclosure email, who cares?

                The issue here isn't that someone would be blamed for a data leak - not even a bit. The issue is that there's a good chance that panicked management won't consider the disclosure as helpful, but instead as a genuine attack on their infrastructure and will get non-technical lawyers involved. Tons and tons of people have been sued from doing this.

                Giving as little information as possible is _necessary_ to reduce the risk of being sued. That you, and people like you, think that little information is a waste of time is just sad, man. Think about it from the shoes of those who try to disclose, and the lives of people whose information is in the systems that you maintain. Get off your lazy high horse, spend the hour to review their email, do your fucking job, or get out.

                • corobo 1248 days ago
                  Ok it really feels like you're either misinterpreting what I've said to vent some anger or I've misspoke. In any case the opinion you hold of me is not representative of my attitude towards security.

                  Of course I want to know about security issues. Actual security issues. I don't want some script kiddie pinging me about a port that's open trying to fish for a few grand because I'm the cunt that opened it! It's not an open printer or whatever nmap is telling you, it's probably a non-standard SSH port. Something someone with skill would figure out in a second.

                  If you find an open printer on my networks - send a printout to it. Say hello.

                  Have a good day.

      • MauranKilom 1250 days ago
        If the printers are accessible from the internet, it should not be hard to demonstrate there being a problem.

        For example, once a day, make them all print a page saying "Your printers are accessible over the public internet, which puts patient information at risk."

        It's still very likely they'll try to shoot the messenger though.

    • durnygbur 1250 days ago
      Our perception is biased with bug bounty rewards covered by news articles, but in real life communicating some vulerabilities can trigger problems or being ignored at best. Institutions are hopelessly arrogant.
    • unstatusthequo 1250 days ago
      I would have printed the message using their printers. Maybe that would have been more effective?
      • siberianbear 1250 days ago
        I think the grandparent comment made the right call. It could have worked out well. Or perhaps the university would have taken disciplinary action against him for "hacking" the university computer system.

        No good deed goes without punishment.

      • lucb1e 1250 days ago
        More effective, perhaps, but it's also dancing on the edge of the law. In the Netherlands the public prosecutor doesn't pursue cases of ethical hacking (afaik the other party can still file a civil case if there are damages though, and I would assume reputational damage counts), but they totally made a case against a person that claimed to be white hat but offered to fix the problem for around 20'000 euros. Specifically:

        > De man nam contact op met de praktijk en meldde dat een kwetsbaarheid toegang bood tot de persoonlijke gegevens van artsen, waaronder e-mailadressen, gebruikersnamen, wachtwoorden en bankrekeningnummers. Vervolgens stuurde hij een offerte met het aanbod om voor 16.500 tot 23.000 euro de kwetsbaarheid te verhelpen. In die offerte stond volgens het OM een 'dreigende mededeling': "Er zal waarschijnlijk een boete betaald moeten worden wanneer dit openbaar is en er zal een flinke reputatieschade plaatsvinden." Het OM schrijft dat de politie na onderzoek constateerde dat op de laptop van de man de gevoelige persoonsgegevens stonden en dat zijn ip-adres te relateren was aan de inbraak.

        From https://tweakers.net/nieuws/167792/om-eist-twee-maanden-cel-...

        Summary translation: he found an issue in a doctor's office, told them "you'll probably get fined if this becomes public and there will be large reputational damage" and sent an offer for 16.5-23k euros for a fix. The public prosecutor saw the message as threatening (blackmail) and therefore decided this wasn't simply a white hat reporting an issue and offering legitimate services. Upon investigating, sensitive personal data was found on his laptop.

        So is hacking into their printers to send a message proportional to the issue? I would say yes, but one might also argue this goes beyond what is strictly necessary to prove the issue. (Another guideline is that downloading your own PII to confirm an issue is fine, and that it can also be fine if you accidentally find PII but don't request more than that first record, but nothing beyond that.) You might argue that they didn't listen, but I don't know if that's an argument a judge finds compelling.

        Different countries can have different systems, not sure how white hat hacking is treated in Iran, the USA, Brazil, or other countries that seem to enjoy putting a lot of citizens behind bars.

    • vmchale 1250 days ago
      That's how security is at essentially every company but it's extra grim in the mental health/medicine world :\
  • hpaavola 1251 days ago
    The person who claimed to be the "hacker" commented on Finnish 4chan-like board (kuvalauta) that the credentials to access the servers were root:root. AFAIK there's no evidence for or against the claim, but if true, I see two quilty parties here.
    • michaericalribo 1251 days ago
      This is a false equivalence, and victim blaming. Using root:root credentials is sloppy and poor dev practices, but that is minuscule compared with extortion and inflicting widespread stress on a vulnerable population.

      There’s a reason we have laws against both negligent manslaughter and first degree murder, and there’s also a reason why the penalties for the latter are much more severe than for the former.

      • fastball 1251 days ago
        Nobody said that they were equivalent, just that there are multiple guilty parties. Not guilty of the same thing, but guilty nonetheless.

        It's not victim blaming because the victims are the patients. The people who were in charge of securing the records and left the creds as root:root are not victims.

        • hn_throwaway_99 1250 days ago
          > The people who were in charge of securing the records and left the creds as root:root are not victims.

          We have to stop designing systems where if one administrative task is mistakenly skipped, the result is catastrophic. Imagine if when you tried to start your car that if you didn't have the brake fully pressed that your car blew up. Would you say "Oh, wow, how irresponsible it is to not fully press the brake"? No, you'd blame the manufacturer for building an exploding car.

          Systems should not start if strong admin credentials are not the first thing that are set up.

          • Memosyne 1250 days ago
            > No, you'd blame the manufacturer for building an exploding car.

            A better analogy would be accidentally crashing the vehicle - an action resulting from negligence or incompetence rather than some 1/1000000 chance of your car exploding due to a failure in functional safety. If someone is operating a vehicle in a manner that it was not intended to be used should we blame the manufacturer? You expect litigation to follow someone forgetting their keys, driving their car into a lake, or running out of gas on a busy freeway?

            The solution should be to mandate more certifications and security audits for high-risk organizations. The safety mechanisms should be legal and not technical; you shouldn't be permitted to operate a business dealing with sensitive data if you haven't been audited. Delegating more responsibility to the system architects doesn't solve the fact that you have incompetent people performing the administrative tasks and malicious actors abusing this incompetence. It isn't about someone making a mistake, it's about someone being irresponsible in a security sensitive environment - something that should carry severe legal repercussions.

            • strgcmc 1250 days ago
              Your twist on the analogy is better, but still misses one crucial element IMO. Forgetting your keys, driving your car into a lake, or running out of gas are all very, "obvious" and transparent failures or error states to the user, or you could say that for a user they can easily fail fast and also understand why that state is undesirable. The user is not left wondering, why would I need keys to start my car, or why doesn't my car float on water, or why does my car need gas to run...

              Forgetting to change the default password on a system before starting it up and putting it into production (negligently or not), is not a very "obvious" type of failure. Hey the software is working! People can us it to accomplish their daily tasks! Everything is fine! There are basically no signals to the average, non-sophisticated user that something is amiss, for the vast majority of security vulnerabilities/misses.

              So the real problem IMHO, is less about addressing systematic lack of competency or lack of oversight or licensing or things like that, and better tackled as questions of better UX, of failing fast and transparently to the user, or of making invalid/undesired states impossible (and user education yes, to some degree... but cars really do not require that crazy of an investment in training to operate, though different countries certainly set different expectations/standards). These are the sorts of problems that tech is used to solving, that the tech industry is optimized around solving. Of course, for tech to care about working on these problems, requires market incentives to be there (and by and large, the incentives are not there today). Which is what one of the GP ideas about fines and insurance costs/premiums is trying to address.

          • fastball 1250 days ago
            I agree that better design is imperative. However that is not the situation we are in currently.

            If you are hired to secure a system and leave the credentials as root:root, you are derelict in your duty. Period.

            If there is a system with external access, someone set it up. It is the responsibility of whoever setup that system to ensure access controls are in place. The barest minimum of that is to change the default creds to something unguessable.

          • spurgu 1250 days ago
            It's more like the car left the factory with the blow-up function still enabled. The equivalent of whomever left the root:root in place.
        • TeaDrunk 1251 days ago
          IMO we are using the language of someone who we know to act maliciously on a massive scale (tens of thousands of people, including minors)as if their words can mean anything without corroboration. Frankly I wouldn't believe a rapist saying "but look at what they were wearing" or a serial killer for saying "but they went home alone".

          Similarly, I don't hold any credence to a black hat saying "but look at how insecure they were".

          • fastball 1251 days ago
            Again, nobody is blaming the victims.

            People hired to secure records that then do an exceedingly poor job are not the victims in this situation. Victims == patients.

            In your analogies of rape/murder, the (almost) equivalent would be if there was a doorman at an apartment building who was supposed to verify the identity of everyone entering the building, but failed to do so, letting the unauthorized perpetrator into the building and thus allowing the victim to be raped/murdered. It was literally his job to prevent such a situation, and he failed. You maintain that he has no responsibility in this matter?

            • TeaDrunk 1250 days ago
              I'm just saying why assume a malicious actor is saying any truth about the circumstances of their malice?
              • fastball 1250 days ago
                I agree, but the comment I was responding to was operating under the assumption that the claim was true and was making a different point than merely "don't accept things hackers say at face value".

                Probably because the OC had already hedged:

                > if true, I see two quilty parties here.

                • TeaDrunk 1250 days ago
                  Yes, and my response is "I don't see why we need to give it any credence whatsoever enough to comment on it".
      • tgsovlerkhgsel 1250 days ago
        The real victims are the people the data is about, not the entity improperly storing the data.

        The entity that stored the data is to some small extent a victim, but most importantly they are a perpetrator.

      • rebuilder 1250 days ago
        Blame is not a zero-sum game. Yes, the extortionist deserves all the blame you can heap on them. But that does not change the fact that Vastaamo were in charge of securing highly sensitive patient data and failed to do so.
      • Natsu 1250 days ago
        The victims here are the people who had their information exposed.

        And this meme is silly, because more than one person can be at fault in a situation. This binary division of blame simply doesn't deal with the complexity of the real world.

        If their security really was that bad--something which has to be proven by more than a random, anonymous rumor--then they should be financially liable for contributing to the situation.

      • reitzensteinm 1250 days ago
        They had a duty of care to make the medical records secure, and didn't take that seriously. This is not victim blaming. It is person-at-fault blaming.

        Just because someone else is even more at fault doesn't absolve these jokers the tiniest bit. If this isn't a criminal offense, Finnish law is broken.

      • soulofmischief 1251 days ago
        It's not just sloppy and poor. In the context of confidential health records, such negligence should be and often is illegal precisely because such carelessness leads to this current situation.

        Hackers are an inevitability. You can't shed responsibility when they come for your unprotected data anymore than you can blame the water if you swim out in the deep alone and get caught in a riptide.

      • tartoran 1250 days ago
        Breaking into a low security is one thing but distributing private personal information is IMHO ten times worse and senseless too
    • Hamuko 1250 days ago
      That'd make sense since what I read was that the attackers didn't actually target this company and that they gained the data by just randomly scraping. It'd also explain why they sat on this data for like two years.
    • fogihujy 1250 days ago
      Definitely criminal negligence if true, but Terapiakeskus are not guilty of the hack nor the leaks or the blackmail. You can't blame your own crimes on others making them easy to commit; that's on the level on blaming a rape victim for being drunk.
      • colonwqbang 1250 days ago
        You have this completely backwards. The victims here are the patients whose information was leaked. The care provider failed in their duty to prevent the leak.

        If you want a rape analogy, it's like blaming a police officer for failing to prevent a rape due to the police officer being drunk.

        • lucb1e 1250 days ago
          Given that the care provider is the owner of this data, not the users themselves, I think they are also a victim. If we want to continue this analogy it might be a victim that walked uninvited into a house with a big sign "you will be raped if you walk into my house", but is still a victim nevertheless. I do think that solely blaming the care provider for their failure to protect is incorrect because a non-victim can hardly file charges against the perpetrator.

          Of course, I agree that the care provider also did something wrong (as well as the hacker(s)) and that the people are also victims, but "the people vs. the care provider" is a separate matter from "the care provider vs. the criminal".

        • fogihujy 1250 days ago
          Fair enough. The police officer would still not be guilty of the rape.
  • imposter 1251 days ago
    >The information published could not be more sensitive: it included the patient's name, personal identification number, telephone number, email address and residence address, together with the content of the therapy sessions.

    That's just pure evil.

    • nabla9 1250 days ago
      It's incredibly cruel. Blackmailers are now sending emails to people in the database directly. People already bad shape are put into huge stress. There can be suicides.

      According discussion in Finnish reddit /r/suomi, in the released data batch was therapy discussion involving person who struggled with pedophilic impulses. That's a life ruined.

      • tartoran 1250 days ago
        That is clearly a cruel thing to do to a person who has those impulses but never acted on them and seeking therapy to get rid of them. This will erode trust in therapists and make people think twice about seeking professional help.
        • gonzo41 1250 days ago
          If that person doesn't kill themselves they very well may, untreated hurt children. It's staggering how massive this is.
  • tekkk 1250 days ago
    A one hopefully positive thing that comes out of this is the obsolescence of the use of personal information for purchases. I don't know when exactly it was thought that knowing someone's name, address and social security number was enough to make hundreds or thousands worth of credit loans or purchases, but it has to end.

    Now what you have to do is register at multiple services a block of using your PII for credit loans, company memberships, paper-sent address change etc. It's outrageous how much effort you to have to go through after becoming a victim of a crime, and for at least credit block you have to pay with your own money.

    Some Finnish MP in Twitter had some good points how to modernize the current system and I dearly wish they would put that on their agenda ASAP. When those 40k names with full addresses, phone numbers, SSNs etc, start getting spread around, it's going to be a hell of a shitshow.

    Well not that it isn't already. The hacker also accidentally uploaded the whole database for a brief moment, which from my knowledge was downloaded by at least one person, containing most if not all of the mental health records data.

  • Indy9000 1250 days ago
    There's no good reason to have personally identifiable information stored in the system. They could easily issue each patient an alphanumeric ID which is not tied to personal information yet uniquely distinguishable..

    This is a system design failure to begin with. Design sensitive systems with only minimum required information. The alternative is to have a massive framework to make sure PII hadn't leaked. And then a legal and financial frameworks on top of that..

    after all if a leak happens it can't be undone. Damage to the people will be long standing and cascading.

    Best is to have a system that have no or minimum PII.

    • arh68 1250 days ago
      I thought along similar lines when I heard the Las Vegas high schoolers got hacked/dumped. Why not make standard the use of false/given names to these services which can't be trusted with PII but must transact in it? Part of enrolling for school should be getting your fake name & fake identity for the school DB, another pen name for Doctor 1, &c.

      The DMV should provide New Identities as a Service, if the problem's going to be this bad.

    • chrisseaton 1250 days ago
      > There's no good reason to have personally identifiable information stored in the system.

      They’re medical records. Seems inherently likely to be PII?

      • Indy9000 1250 days ago
        Medical records can be stored without personally identifiable information (PII). And they should be. That's what I'm proposing.
        • chrisseaton 1250 days ago
          Medical records are PII.

          Do you mean store without names? The conditions, times, places, etc, are inherently PII themselves.

          My wife gave birth on a given day in a given hospital. She also broke her ankle once. No names, but record uniquely identified.

          • Indy9000 1250 days ago
            What you say is that our actions even without explicit names, etc. can be used to identify the actual person. This is kind of missing the point. Because, that sort of reverse lookup can't scale, and in a very large number of cases it won't be. [Edge case: only person in a village or a post code].

            By removing the directly identifiable info, the damage done in a breach would be less. Where as now, a single breach contains all the data that could identify a person and every person in that breach, without having to do any/much reverse look up.

            Now, the orgs that collect this data does not have a certification standard and verification that they have to obtain before going operational. Even a restaurant kitchen has that.

            On that note, I'd say that there should be a severity grading for the data items. Even Eggs have a grading system. Our personal data is a tad more valuable.

        • Hamuko 1250 days ago
          How do you link a person's medical history to a person without personally identifiable information?
          • Indy9000 1250 days ago
            Medical history has to be only meaningful between doctor and patient. Doctor can keep records under a unique ID which patient is given at the start of sessions and the patient presents it at each session to validate the relationship. In the event of a breach, even when all data is exposed, without tracking the unique ID back to a person (which would be difficult or impossible) the harm is little.. (Imagine reading a story of a person but you don't know who that person is..)

            You might say that there would be other person names and places in mentioned in the records and from that network and timeline you may be able to deduce the identity.. but these PII can in turn be depersonalised. And also this is not scalable for widespread damage.

            It just need a bit of thinking when designing a system. Frankly any org that ask for PII and doesn't have a well thought out way to store them should be heavily penalised.

            That's what the law should do standardised methods of storing sensitive data.

            • astura 1250 days ago
              There's a third party involved here, the payer. The payer (according to tfa mainly Finnish Social Security (Kela) here) needs to know what they are paying for and on who's behalf. You can't just conduct medical treatment pseudo-anonymously like that.

              That's ignoring the fact almost nobody will accept having to keep track of an "alphanumeric ID" to get treatment.

              • blackbrokkoli 1250 days ago
                The payer does not have to know content of therapy session though. Just have two databases and practice good separation of concerns.

                John Doe | Street 1234 | Therapy | 6 Units | $12,367

                That is way less interesting information than what we are discussing here...

                • freeflight 1250 days ago
                  > The payer does not have to know content of therapy session though. Just have two databases and practice good separation of concerns.

                  A lot of detailed information is often required for the payer to green-light the actual treatment, at least in Germany.

                  Ideally the payer also wants/needs to keep track of what was already done and for what reasons.

                  Even if you keep all of that to a minimum, you still end up with a fair bit of meta-data that allows for rather detailed insights.

              • Indy9000 1250 days ago
                I think a third party or minimum number of parties can be included in this trust network for exchange of information. Where as now (if the data gets public) there's no restriction.

                This may not be the status quo of the medical system. But I'm willing to bet it wasn't conceived and put in place when breaches like this could happen frequently and the consequences were damning. Overhaul of the process is required. Just keep paying the Ransom/Hackers is not the only and meaningful solution.

            • rebuilder 1250 days ago
              >Doctor can keep records under a unique ID which patient is given at the start of sessions and the patient presents it at each session to validate the relationship.

              Now the doctor is unable to verify the identity of the patient.

            • chrisseaton 1250 days ago
              > but these PII can in turn be depersonalised

              It turns out this is not as easy as you think it is.

        • astura 1250 days ago
          Medical records are PII themselves.
    • rebuilder 1250 days ago
      It does seem a little more complex than just issuing unique IDs. The therapist must be able to tie that ID to the patient. The healthcare provider sending the patient to the therapy provider needs to be able to do the same. How does that happen?
  • notRobot 1250 days ago
    There's a well known phenomenon where if the infosec division of a company is working well, it's not obvious at all to management, because no leaks are taking place. So their budget gets cut. And then the data leaks/breaches happen.

    Once a leak happens, the infosec division gets free reign for a few years. Until a new manager goes all "you guys don't even do anything!", and the cycle repeats.

    • beagle3 1250 days ago
      Also known as “the bathrooms here are always so clean here, we can fire the janitors!” line of reasoning.
  • aaron695 1251 days ago
    Also reported they are targeting the individuals -

    "A blackhat hacker has stolen therapy notes and personal identification of supposefly 40 000 people in #finland, tried to blackmail the target organisation @vastaamo and now targets durectly the individuals. Possible the most outrageous blackmailing ever in the country, (1/2)"

    "and even wider. Finnish police @PoliisiTiedote tells crime reporting system is down, presumably because of the large number of victims reporting their case. (2/2)"

    https://twitter.com/ropsue/status/1320086169489637378

  • gogopuppygogo 1250 days ago
    Mental health issues don't allow for rational thinking. Victims of mental illness may also feel emotional pain in ways that non-sufferers cannot comprehend. I have always had a "tough guy" mentality toward my feelings. I suppress them. I think when others know who I am or how I think it's a weakness in business. Some leaders think its helpful. Either way, I don't feel emotional pain the same way others feel it.

    How do I know this? I've been around someone close to me who suffers from mental illness for most of my life. This is someone who can feel words in ways that most people feel getting shot. That person has been bed ridden for months because of something that was said to them years ago.

    They didn't choose to feel that way. They have tried therapy and drugs but to no avail so far.

    They wish they didn't feel that way but they do.

    Criticizing this persons work, car, reactions, clothes, etc... will cause a massive disruption in their life.

    If their information was leaked I can tell you they would seriously contemplate suicide over the public awareness.

    I hope the people who released this rot in hell for what they did. They took some of the most vulnerable people and quite likely will cause them to snap causing that mental pain to release into others lives. Innocent people will suffer because of this data breach.

    • burade 1250 days ago
      >They didn't choose to feel that way.

      They weren't born that way either. I guarantee you there has been some massive childhood/adolescence trauma in this person's life. If this person is a woman, then it's veeeery easy to understand why she feels this way.

      • djeiasbsbo 1245 days ago
        I don't know you but my assumption is that this is but an assumption on your part.

        Mental illness often results in irrational behaviour, which then often leads to wrong or inaccurate conclusions by the people around a patient, so professional help is very important.

        That is exactly why this "hijack" is so bad, professional psychotherapists who have studied their field are rare but needed to properly diagnose patients like this. Hackers (and self-proclaimed diagnosers) only make their profession even harder.

  • gonzo41 1250 days ago
    This is not great. Much of the conversation is about insurance to create corporate conditions of good security to avoid the risk. That's a good start. But this isn't like sorting out ID theft or Credit Card fraud. There's no chargebacks for personally damaging information.

    I'd think 'we' as a IT profession need to start pricing the sort of work we are willing to do. Hey, you want a customer login, $$$, you want to track fine grained information about that person $$$,$$$. You want to create OLAP databases with this data, no thanks I don't want to do the work.

    One more thing to ponder. It's probably within the reach of the governments of those affected to identify, track and catch the people who did this. So why doesn't the affected company pay 100 million to catch them. And then those that did it go to jail forever. Or have some grizzly fate befall them that follows them around forever.

    Hacking is white collar crime. When you can effectively price risk in white collar crime you can reduce it. Let's see some hackers do the whole jail term, crying dragged away, everyone thinking there but for the grace of god go I.

    For certain records, like voting, paper is best.

  • callias 1251 days ago
    I wonder what countries, if any, give the patient the right to have obviously non-critical information deleted from his health records. In Norway, at least, if you talk to a shrink, there's no easy way to have the record of that conversation deleted; you have only to sit and wait for something like this to happen.
  • linspace 1250 days ago
    Incredibly sad news. And this made me even sadder:

    "Extortionists demanded around 450,000 euros (in bitcoins) in exchange for not publishing the clinical and mental health data of thousands of people.

    The criminals started to publish the data of 100 people every day in the encrypted web Tor two days ago."

    As someone that strongly believes in privacy and freedom I find so depressing that some technologies seem to be exclusively used to commit crimes.

    • leppr 1250 days ago
      Rather: "some technologies seem to exclusively make the news when used to commit crimes."

      Headlines are not statistics.

      • linspace 1250 days ago
        You have a point but I don't see other headlines and this considering Hacker News is biased in favor of Tor and Bitcoin
        • leppr 1249 days ago
          Maybe biased in favour of Tor but Bitcoin definitely not.
  • bahmboo 1250 days ago
    It would be fun to do some sort of textual style transfer on these docs and flood the zone with hundreds of plausible fakes. Would make hijackers job at least harder.
    • CryptoPunk 1250 days ago
      It would give every victim plausible deniability, as long as at least one of the fakes isn't too embarrassing.
      • rebuilder 1250 days ago
        I think in reality it would just be mass libel...
  • DoofusOfDeath 1250 days ago
    Does anyone know if state intelligence agencies have the capability of hunting down this kind of hacker?

    I would think that their need to receive ransom money would limit their ability to hide completely.

    • beagle3 1250 days ago
      Likely yes, but at a cost they wouldn’t want to pay, because it will “burn” their ability to do this in cases they likely deem more important, such as those where lives and state security are directly threatened.

      In the US, the NSA likely has enough data to solve 85% of all unsolved crime, and to prove innocence of 95% wrongly accused; but doing so would limit their future abolity to do so (and the ability to do their actual job) so they won’t.

      • hh3k0 1250 days ago
        And 42.7% of all statistics are made up on the spot.
        • beagle3 1250 days ago
          True, I should have added "(statistics that seem right to me that I pulled out of thin air)".

          That said, Snowden disclosures and others indicate that if there's an email, voice call, location information or any other digital piece of information, it is accessible to the NSA, not warrants required.

  • brightball 1250 days ago
    Stuff like this was my biggest concern with the mandates for digital transformation in medical record keeping.

    The security of a locked file cabinet cannot be understated.

    • Hamuko 1250 days ago
      >The security of a locked file cabinet cannot be understated.

      It doesn't take much to defeat a file cabinet lock.

      • blackbrokkoli 1250 days ago
        It does however is quite hard to do it in hundreds of locations, possible undetected, over prolonged time periods without being personally there.

        "I can always go and stab someone" is not an argument pro autonomous killing drones either.

      • Laakeri 1250 days ago
        Defeating file cabinet locks in this scale would
  • jimkleiber 1250 days ago
    I've been testing a way to improve emotional health without recording any private information to try to avoid the challenges of hacked/leaked info.

    I record short audio exercises, where I ask a series of questions with a format like "How do you feel when you think about ___?" and put different scenarios in the blanks, related to a theme.

    If you listen to the audios, you can answer in your own head, say them outloud (not recorded), or even write them down wherever you want.

    I'm not sure if any of you would like to try, but I figured people reading this may be interested in super-private ways to try to get better at dealing with emotions.

    Currently at www.jimkleiber.com/drills

    edit The main benefit is helping you get better at saying how you feel and imagining how others might be feeling, which can help you release emotions, process them, better understand them, clarify them, and communicate them to yourself and the people around you.

  • ollifi 1251 days ago
    Tool to check if your information has been leaked (based on e-mail) https://www.tietovuodot.fi/
    • ThrAwayOb 1250 days ago
      Who runs this page and why can (or can't) be trusted ?
      • ollifi 1250 days ago
        It’s supposedly run by private individual identified in the page. It is possible that it is harvesting e-mail addresses, but does not require other info.
  • austincheney 1250 days ago
    I have found it astonishing, from comments in other threads, how many people on HN:

    * do not believe depression to be an illness

    * indicate mental health isn’t isn’t real medicine

    * people shouldn’t consult a medical provider for illnesses of mental health

    * people should self medicate

    • _def 1250 days ago
      That is a sad state but does not really surprise me. The social stigma is still very big and visible in most areas of society.

      Avoidance, ignorance and fear play a big role too, I guess. There needs to be more education regarding the topic.

    • cutemonster 1250 days ago
      > from comments in other threads,

      Is that in this topic about the leak, or generally at hn?

      I'd suspect society in general is even less understanding about mental health problems

      • austincheney 1249 days ago
        Generally at HN. Occasionally people will ask for advice about depression or anxiety. If you suggest seeing a doctor you are greeted with an emotional event.
    • newcomputer 1250 days ago
      "There are bad guys in other threads, but I will not link or provide any evidence at all to support this"

      You should reply to those people directly, instead of polluting irrelevant threads with your boogeyman complaints.

  • say_it_as_it_is 1250 days ago
    There is a code among thieves and this vermin crossed the line. Hopefully, this is one occasion where intelligence and hacker communities can work together to sort out a common enemy.
  • raverbashing 1251 days ago
    If companies are happy to pay ransoms they can't complain about being extorted for higher fees

    What is needed is actual investigation and prosecution of cases.

    • Nextgrid 1251 days ago
      What is needed is also liability for those responsible for managing that data, and maybe an argument that certain data shouldn’t be created to begin with?

      Content of therapy sessions should maybe not have been kept in a digital format to begin with.

    • MeinBlutIstBlau 1251 days ago
      Hello, but why are backups not a thing? It's like the majority of these companies don't even bother with them.
      • nogabebop23 1250 days ago
        this doesn't appear to be a ransomware attack, just plain old blackmail. Insecure backups would actually make it worse...
      • raverbashing 1250 days ago
        Backups would mean nothing in this case
  • Lio 1250 days ago
    It would be interesting to know if companies like Facebook and Google view leaked information like this as “fair game” and in the public domain.

    Would they add it to their graphs if their missions are to know everything about everyone?

    For example, the existence of shadow profiles shows that Facebook don’t care whether they have your consent or not.

    In the UK Google have made strenuous efforts to get hold of NHS medical data, sometimes with dubious consent[1].

    If you specifically asked you might be able to get them to remove about you but I doubt you’d get them to remove what they’d learned from their models.

    1. https://www.newscientist.com/article/2217939-google-is-takin...

  • threatofrain 1250 days ago
    > The information published could not be more sensitive: it included the patient's name, personal identification number, telephone number, email address and residence address, together with the content of the therapy sessions.
  • mlang23 1251 days ago
    Clearly this information should never have been allowed to be stored digitally. Those to blame are those which neglected to put the necessary precautions in place. Where I come from, if you forget to lock your car, police can collect the key and fine you for your ignorance. Same should apply when health data gets lost. The patients have virtually no control over what happens with their data after someone entered it into a system. So all the mishap which happen need to be blamed on those which run these systems. Not doing so is a pretty blatant attempt of ignoring responsibilities.
    • pessimizer 1250 days ago
      > Clearly this information should never have been allowed to be stored digitally.

      I've been aggressively informed, repeatedly, that since paper is old and computers are new, you're basically a witch-burning, Galileo-jailing Luddite caveman who is afraid of fire if you notice that the failure modes enabled by some computerization are multiple orders of magnitude more catastrophic than the analog alternatives.

      I mean, this is actually far worse than if they kept all of this information on paper records, stored all the records at one unguarded warehouse, and a burglar was allowed to pull a truck up to that warehouse and spend all day stealing them. It's worse than if they hadn't kept records at all.

    • Const-me 1251 days ago
      > Where I come from, if you forget to lock your car, police can collect the key and fine you for your ignorance.

      Where I live, people sometimes intentionally leave keys in their unlocked cars, for convenience of people who sharing a parking space.

      • C19is20 1250 days ago
        My car was open and had keys in...it got stolen and found 20km away. No damage. Several other cars in the street had broken windows and signs of attempted hot-wiring. Cost to me - time. Cost to everyone else... they're all still pretty livid. Even more so that my car was about 15th in a line of 20. If it had have been first - different outcome. YMMV.
        • mlang23 1250 days ago
          You were lucky. Dont you think your analysis is a bit egocentrical though? What if there was a major accident during that 20km drive? What if someone was killed with your unlocked car? Is the damage to your property still your only concern?
        • nogabebop23 1250 days ago
          not sure I would leave the keys in my unlocked car, but when I lived in a city with a lot more petty crime many people left their doors unlocked and some spare change in the cup holder. Everyday it was gone but no other damage vs. smashed windows for no gain. It pissed me off but others saw it as equivalent to pay for parking
      • blackbrokkoli 1250 days ago
        And that is something you would like to accept as a fair reason why someone in your family was ran over by a random teenager who found a driveable car standing around?
        • Const-me 1250 days ago
          Teenagers don't do that here.

          At least locals. In the news, I remember a story about drunk tourists finding a drivable electric golf-cart standing around. It's much less likely to run over a person than drive into the sea. Which they did. None was injured (by luck, that particular cliff wasn't high enough), the court forced them to pay for destroyed property.

    • mmm_grayons 1251 days ago
      I think you're right. If there's one thing we've learned, it's that all information which is stored digitally will be leaked at one point or another. We need to focus on storing less information wherever possible.

      Also, where do you live? I've never heard of that treatment being given to someone who forgot to lock his car. On the other hand, when people lock keys in their car, policemen are generally happy to help.

      • mlang23 1250 days ago
        Something similar applies here with weapons. If you are a legal weapon owner, it is expected of you that you take care so that nobody can just pick up your gun and start shooting. You need to store it unloaded, munitions stored separately, and all that jazz. The same thinking goes for the unlocked car thing? What if a child gets into your car, starts it up and drives over their siblings? In a way, the car owner would be responsible because they didnt ensure the car was properly locked.

        Same thinking should apply for sensitive data. If it gets stolen, it should always be the responsibility of those which have been charged with taking care of it.

        • mmm_grayons 1250 days ago
          More or less true; those who hold data bear responsibility for it. The biggest issue is that unlike, say, bank robberies, people can steal data from beyond the long arm of the law.

          As a sidenote, where do you live that firearms owners are obligated to store them unloaded? They're of little use that way. I grew up around loaded guns all over the house, not hidden at all; I knew that if I ever so much as touched one, my father would tan my hide beyond belief. More importantly, I knew I'd just end up hurting myself or others.

        • PeterisP 1250 days ago
          One thing here is that sensitive data getting stolen does not necessarily mean that the data controller was negligent with their safeguarding.

          There definitely are highly publicised cases that happened just because of gross negligence in handling that data. But to some extent, every system is vulnerable, and there are also attacks that are, using your gun and car analogies as an example, the equivalent of stealing the gun from your safe or taking your car at gunpoint while you're stopped at a red light.

  • CryptoPunk 1250 days ago
    It should be illegal to pay these ransoms. It only encourages more data raids.

    When it does happen, the victims should be compensated for the losses they suffer, but they should also be told that, in the end, it's just data, and how they react to other people becoming privy to it is something they can exert control over. They need to be told that they can choose to be resilient, and that this is a survivable event.

    • cutemonster 1250 days ago
      This is harmful advice

      > need to be told that they can choose to be resilient

      And a poor understanding of humans and mental illness

      • CryptoPunk 1250 days ago
        It seems like encouraging people to identify with their trauma is what's harmful:

        https://www.psychologicalscience.org/news/releases/trigger-w...

        Identifying positive traits in people diagnosed with mental illness - and resiliency would be one of them - seems to have a positive impact:

        https://www.tandfonline.com/doi/full/10.1080/17522439.2014.9...

        Corroborating this is the fact that exposure therapy, which implicitly assumes that the patient does have resiliency, has been found to be an effective treatment for a number of psychological disorders:

        https://www.apa.org/ptsd-guideline/patients-and-families/exp...

        • cutemonster 1250 days ago
          Interesting links, thanks. I like the "encourage resiliency"mindset.

          You seem to have in mind people who experienced something traumatic in the past, and/or are fearful of sth. I wonder if things like bipolar or borderline or OCD or depression or schizophrenia didn't occur to you? Then there's not always any past trauma to be resilient against?

          > should also be told that, in the end, it's just data, and how they react to other people becoming privy to it is something they can exert control over

          This data can in some cases get them fired from a job, or bullied, and more,

          I think it's not true that it's just data -- it's more like a threat.

          • CryptoPunk 1250 days ago
            You're most welcome.

            >>I wonder if things like bipolar or borderline or OCD or depression or schizophrenia didn't occur to you? Then there's not always any past trauma to be resilient against?

            Well, there is evidence for exposure therapy being effective for many disorders, including several that you mention. From this link above https://www.apa.org/ptsd-guideline/patients-and-families/exp...

                Exposure therapy has been scientifically demonstrated to be a helpful treatment or treatment component for a range of problems, including:
            
                Phobias
            
                Panic Disorder
            
                Social Anxiety Disorder
            
                Obsessive-Compulsive Disorder
            
                Posttraumatic Stress Disorder
            
                Generalized Anxiety Disorder
            
            >>This data can in some cases get them fired from a job, or bullied, and more,

            Yes that is true. However, there is presumably nothing illegal admitted in these therapy sessions, and I think termination of employment for what was said within one would be grounds for a wrongful termination suit. Being bullied, hated, etc is a different matter, but I think is something that someone is better able to withstand with the right mindset than losing a job.

            I'm not suggesting that the damage from this disclosure can be neutralized completely, by any stretch of the imagination. Just that it can perhaps be blunted with these kinds of reassurances that the victims can in fact survive this.

            • cutemonster 1245 days ago
              > I'm not suggesting that ... Just that it can perhaps be blunted with ...

              Ok, thanks for explaining

  • cromulent 1250 days ago
    The hackers are also contacting the patients directly. A friend of ours was a Vastaamo customer a couple of years ago and received their extortion email yesterday.

    The amount demanded initially surprised me as being quite affordable, but I guess that's how extortion / blackmail works - there's never just one payment. It was different to the amount specified in the article.

    • nikanj 1250 days ago
      NB: Everyone in the leak got that email, and all of those emails have the same bitcoin wallet. [To be exact, emails went out in batches and each batch has a shared wallet].

      We've been trying to spread the good word and make people understand the hackers can't know who paid, because they didn't generate a wallet for every single user. If they can't know who paid, how would they be able to delete your data.

      But many people will probably end up paying, because 200 euros seems like a low price to keep your dignity and privacy.

      • rebuilder 1250 days ago
        Do you have a source for the Bitcoin addresses being reused? I ask because YLE is running an article claiming each address is unique, meaning the extortionist could identify who has paid. If that is not the case, I'd like to notify YLE about it as it's a pretty important point.
        • nikanj 1249 days ago
          Source: Me. We compared messages with five people who got the blackmail message, and four of them had the same wallet.

          Sorry, I don't have a news page to link.

    • rebuilder 1250 days ago
      someone is contacting the patients. The archive of patient data, a 10 GB file apparently, is said to have been available on TOR for a while. (I have not verified this, I'm relying on Finnish media here.) Whoever is mailing patients with demands, may or may not be the original extortionist. Either way, it does not seem like anyone can keep the data from being disseminated now, so paying ransoms is pointless.
  • mtm7 1250 days ago
    This has to be a nightmare for the patients. According to the article, some are already struggling with depression and anxiety.

    > The information published could not be more sensitive: it included the patient's name, personal identification number, telephone number, email address and residence address, together with the content of the therapy sessions.

  • ElijahLynn 1249 days ago
    I wonder if the hacker themselves was a patient in the database. Do they have a grudge? Obviously they have mental health issues themselves and likely have been to a therapist themselves already. Maybe that is where they got the idea?
  • danieka 1250 days ago
    IANAL but of you are impacted by this you should seriously consider filing a civil suit against the data controller. The most interesting article of the GDPR for you will be article 82 which entitles you to compensation if you have been materially or immaterially harmed. If your personal information has been leaked this would a clear case of immaterial damage. It has probably caused you anguish and is a violation of your right to privacy.

    In this case you will have a huge advantage since there is a police investigation which no doubt will provide you with plenty of evidence to use in your civil suit.

    Once you have proven that your data has been leaked the defendant/data controller has the burden of proof to show that they are in no way responsible for the damage caused to you.

    As I said, IANAL, but I was personally involved in a similar case in Sweden which did go to trial (and then settled).

    Hopefully there will be a class action against the data controller.

    EDIT: Once again IANAL, but if you have questions reach out to me on mail@danielk.se and hopefully I can give you pointers for your research.

    • pavlov 1250 days ago
      The upside is probably very limited. A private psychotherapy provider in Finland doesn’t have millions in their bank account.

      They’re effectively bankrupted by this news already, as business grinds to a halt. By the time a class action suit awards something to the victims, the company will be long gone.

      • anttisalmela 1250 days ago
        Class action is very limited in Finland - the law that allows this is quite recent, there has been no class action suits yet at all and I'm not sure if it would be even applicable here.
        • danieka 1250 days ago
          The situation is much the same in Sweden, however the GDPR has an article that specifically allows class actions. It remains to see how it would work out in practice.
          • tuukkah 1250 days ago
            In an interview of a lawyer, they said that this article has not been implemented in the Finnish legislation (or at least not properly for a health care case like this - I didn't fully catch it).
      • fogihujy 1250 days ago
        The GDPR fines alone might end up bankrupting them (and rightfully so IMO). The only upside, if any, is that this might serve as a warning to anyone claiming that one doesn't have anything to worry bout if one doesn't have anything to hide.
  • jjones2 1250 days ago
    It is extremely unfortunate, but every time sensitive data like this is collected and stored it is abused in many different ways. You would have to be crazy (no pun intended) to use these services after all this.
  • AbenezerMamo 1250 days ago
    Failture on all sides and too costly to ignore.
  • wiz21c 1250 days ago
    I wonder if the company name was chosen on purpose :-)
  • TheButlerian 1250 days ago
    We should be moving away from computers, especially in places where this won't come with high cost.
  • hikerclimb 1250 days ago
    Good.
  • Dobby2020 1250 days ago
    Let's add "Russian" hackers in the title to make it sound more mainstream XD
    • asenk 1250 days ago
      What's the relevance of your comment to the topic?
    • vmception 1250 days ago
      haha, it still works, the actual hacker gets paid, and the VPN or RPC'd computer in Russia never gets subpoena'd and the real investigation is deflected into thinking about "state sponsored hackers" in Russia, ordered by Putin himself!

      "17 Intelligence agencies all agree that [the IP address of the computer used by] the hackers were in Russia, how suspicious that you don't!"

  • Aeolun 1250 days ago
    Can we just outlaw bitcoin already? It’s really the only way attacks like this are practical.
    • leppr 1250 days ago
      Also outlaw Western Union, gift cards, game items, and all the remaining ways to transfer value internationally.

      Then, maybe, you could think about going after the actual hackers, exploit sellers, designers and implementers of insecure systems, ...

      But first ban Bitcoin.

      • Aeolun 1250 days ago
        Jup. Have you seen any more efficient medium to transfer money internationally?

        Think of all the difficulties inherent in all the methods you’ve stated above, and compare them to bitcoin (or any cryptocurrency).

        Of course we can go after thr actual criminals, it would just help if they can be traced.

  • 1337shadow 1250 days ago
    For what we know and according to RFC 1392, these are crackers, not hackers.
  • JohnCClarke 1250 days ago
    Co-founder of InsurTechnix here. Our tech helps cyber insurers provide pro-active risk mitigation inside of just financial risk transfer.

    My Mom suffered her whole life from manic depression and schizophrenia so I can imagine what the victims of these attacks are going through.

    The reason we like cyber insurance as a channel for cyber security is that the insurers have "skin in the game" in because they pay out for incidents.

    • robocat 1250 days ago
      Who do the insurers pay out?

      If a company indemnifies themselves through insurance, they have increased their moral hazard (ignoring balanced decreases in other areas).

      Insurance doesn’t help the victims.

      • PeterisP 1250 days ago
        Insurance does help the victims - without insurance, the victims are unlikely to see any meaningful compensation from the company who failed in their data safeguarding duty, as the company will simply be bankrupt, the compensations would be far more than they could possibly pay unless they have insurance that will fund the compensation payments.
      • JohnCClarke 1250 days ago
        InsurTechnix believes that it's important to pro-actively defend against ransomware. The costs of e.g. patching OSes, or updating software applications, or blocking RDP ports, etc. are tiny by comparison with direct and indirect costs of attacks.

        Currently cyber insurance is a game that no-one really wins. That's why we're trying to change the game.