Psychotherapy and Digital Forgetting: Why Transcribing Audio Without Deleting the Files Can Be Ethical Negligence

The Cruelest Blackmail in Digital History

In October 2020, something unprecedented happened in Finland. An anonymous attacker gained access to the database of Vastaamo, one of the country's largest private psychotherapy centers, with over 40,000 registered patients. But what the attacker did with that data wasn't selling it on the black market or publishing it in bulk. It was something far worse.

The attacker sent individual emails to thousands of patients. The message was simple and devastating: "Pay 200 euros in Bitcoin within the next 24 hours, or I publish your complete therapy notes on the internet. If you wait 48 hours, the price goes up to 500."

These weren't empty threats. Each email included textual excerpts from the patient's actual sessions with their therapist, proving the attacker had access to their most intimate confessions: childhood trauma, sexual abuse, suicidal ideation, addictions, infidelities, psychiatric diagnoses. Information that many patients had never shared even with their families.

The impact was devastating. Several patients reported acute panic attacks. Suicide prevention hotlines recorded significant increases in calls. Some victims lost jobs when their data was effectively published. Vastaamo's CEO was fired, the company filed for bankruptcy, and the case generated one of the largest criminal investigations in Finnish history.

In 2024, Aleksanteri Kivimäki, a 26-year-old Finnish-Swedish hacker, was sentenced to more than six years in prison for the attacks. But no court ruling can undo the damage caused to thousands of people whose most private confessions were exposed to the world.

What Vastaamo Reveals About Therapeutic Data Custody

The Vastaamo case wasn't a sophisticated attack by a state intelligence agency. Investigations revealed that the center's database was protected by deficient security measures: weak passwords, unpatched systems, and an architecture that allowed remote access without multi-factor authentication. The first unauthorized access occurred as early as 2018, two full years before the blackmail began.

This raises an uncomfortable question for every mental health professional: if one of the largest psychotherapy clinics in a Nordic country with high technological standards couldn't protect its patients' data, what makes an individual therapist think their cloud storage provider will?

The reality is that many psychologists and therapists are adopting session recordings as a legitimate clinical tool. The reasons are understandable: clinical supervision, resident training, complex case review, documentation for legal proceedings involving custody or incapacity. Recording, in itself, can be a valuable therapeutic tool.

The problem isn't recording. The problem is what happens to the recording afterward.

The APA Ethics Code and the Digital Gap

The American Psychological Association (APA) Ethics Code, particularly Standard 4.01 on Maintaining Confidentiality, establishes that psychologists must take "reasonable precautions to protect confidential information." Standard 4.02 on Discussing the Limits of Confidentiality requires professionals to inform patients about the foreseeable limits of their data protection.

But these standards were drafted in an era that predates cloud-based automated transcription. When a therapist records a session and uploads it to a conventional transcription service to obtain text for clinical notes, they are doing something the original ethical framework didn't contemplate: sending a human being's most intimate revelations to third-party servers that retain indefinite copies of both the audio and the resulting text.

Standard 6.02 on Maintenance, Dissemination, and Disposal of Confidential Records establishes that psychologists must plan for the protection of confidentiality in the event of their own incapacitation or death. If the transcription service you used retains copies of your patients' sessions and that company suffers an attack like Vastaamo's, your patients are exposed without you being able to do absolutely anything about it. Confidentiality no longer depends on you. It depends on the data retention policy of a third party whose security practices you don't know.

The Vicious Cycle of Clinical Supervision

There is one particularly sensitive use case: clinical supervision. In psychologist training, it is standard practice for therapists-in-training to record sessions (with patient consent) for review with their supervisor. This process is fundamental to professional development and quality of care.

Traditionally, these recordings were shared in in-person meetings and destroyed afterward. But in the post-pandemic era, remote supervision has become normalized. Recordings travel via email, are stored in shared Google Drive or Dropbox folders, and are transcribed with commercial tools to facilitate supervisor review.

Each of these steps exponentially multiplies the vulnerability points. A recording that was meant to exist temporarily for a specific clinical purpose ends up fragmented across multiple servers, multiple services, and multiple legal jurisdictions.

And when a patient asks: "Who else has heard what I told you in session?" — the honest answer should include the infrastructure engineers of every cloud service involved in the processing chain. But no therapist gives that answer, because most don't even know it themselves.

Diarization as a Clinical Tool

For mental health professionals who need to transcribe sessions, automatic speaker identification (diarization) is essential. In a therapy session, distinguishing between what the patient said and what the therapist said isn't a minor detail — it's the fundamental structure of the clinical record.

Without diarization, a therapy transcription is a block of text where the professional's interventions blend with the patient's verbalizations. With diarization, you get a structured document where each participant is identified, allowing the supervisor to analyze the therapist's technique, the patient's response patterns, and the interactional dynamics of the session.

But this very granularity that makes diarization so clinically valuable also makes it extremely dangerous if the data is retained. A diarized transcription of a therapy session isn't just text — it's a complete map of a person's inner life, perfectly organized and attributed.

The Imperative of Digital Forgetting

The concept of the "right to be forgotten," partially enshrined in Article 17 of the European GDPR, acquires its most profound meaning in the context of psychotherapy. If there is any domain of human activity where information should be able to cease existing once its purpose has been fulfilled, it is precisely in the therapeutic space.

The therapy session is, by design, a space where one says what cannot be said anywhere else. A space where the patient explores thoughts that shame them, fears they don't understand, impulses that terrify them. The very efficacy of therapy depends on that space being perceived as absolutely safe.

Every transcription service that retains data erodes that safety. Every server that stores a copy of a session is a copy of a human being's most absolute vulnerability waiting for someone to find it.

The 40,000 patients of Vastaamo don't need anyone to explain why. They already know what it means when someone finds your darkest secrets and sends you an email demanding money for their silence.

The only transcription of a therapy session that is truly secure is one that ceases to exist the very instant it fulfills its clinical purpose. The audio is processed, the text is delivered, and both are destroyed without leaving a recoverable trace. No cache. No backup on a remote server. No material for a future Vastaamo.

Because in psychotherapy, digital forgetting isn't a technological feature. It's an ethical obligation.

Sources:
BBC News, "Vastaamo hack: Therapy centre blackmail suspect arrested in France" (February 2022).
Yle News (Finnish Broadcasting Company), "Vastaamo data breach: What we know so far" (October 2020).
The Guardian, "Finland therapy data hack: suspect arrested after thousands blackmailed" (2022).
Helsinki Times, "Aleksanteri Kivimäki sentenced to six years for Vastaamo data breach" (2023).
American Psychological Association, "Ethical Principles of Psychologists and Code of Conduct" — Standards 4.01, 4.02, 6.02.
General Data Protection Regulation (GDPR), Article 17 — Right to erasure.