That makes sense, but Finland is a welfare state where government pays for a large part of health care costs, and this data breach was at a start-up that has a couple hundred therapists that mostly contract for the public health care system.
And government regulations require tracking of sessions, costs and compensations, identifiable by person ID.
One extra piece of anguish people have here is that not only may their mental records be revealed, but simply that their address and person ID is used by identify thiefs who take loans or mail-order things in their name.
The government has now responded by starting to find out if the person IDs of the victims could be changed quickly to avoid this risk, but I think that is an answer to wrong question. The right question is why it is permitted to apply for loans with a specific person ID without providing reliable authentication (either electronic signing or physical photo ID).
And government regulations require tracking of sessions, costs and compensations, identifiable by person ID.
One extra piece of anguish people have here is that not only may their mental records be revealed, but simply that their address and person ID is used by identify thiefs who take loans or mail-order things in their name.
The government has now responded by starting to find out if the person IDs of the victims could be changed quickly to avoid this risk, but I think that is an answer to wrong question. The right question is why it is permitted to apply for loans with a specific person ID without providing reliable authentication (either electronic signing or physical photo ID).