[james-redwood]

> Sure, some questioned the purity of Tapio’s motives; Kristian Wahlbeck, director of development at Finland’s oldest mental health nonprofit, says he was “a bit frowned-upon” and “perceived as too business-minded.” And yes, there were occasional stories about Vastaamo doing shady-seeming things, such as using Google ads to try to poach prospective patients from a university clinic, as the newspaper Iltalehti reported. But people kept signing up.

> But the slick exterior concealed deep vulnerabilities. Mikael Koivukangas, head of R&D at a Finnish medtech firm called Onesys Medical, points out that Vastaamo’s system violated one of the “first principles of cybersecurity”: It didn’t anonymize the records. It didn’t even encrypt them. The only thing protecting patients’ confessions and confidences were a couple of firewalls and a server login screen. Anyone with experience in the field, Koivukangas says, could’ve helped Vastaamo design a safer system.

Disappointing, but I'm not surprised.

[atoav]

IMO leaking health records should be fined life-long. Like when you caused an accident where someone lost 50% of their sight those people responsible for the leak (including bad security practise) should pay monthly till the end of the victims life.

Certain leaks cannot be undone and can continue to have consequences for the victims.

[krageon]

Given that generational trauma is a thing, I'm not convinced it should end at the victim's death.