15 June 2026
Few cyber incidents have illustrated the human consequences of a data breach as starkly as the attack on Vastaamo, a Finnish psychotherapy provider. Criminals stole highly sensitive records and, after failing to extort the company, turned their attention to individual patients. They threatened to publish therapy notes unless victims paid ransoms. The incident caused enormous distress and left lasting psychological scars. It reminds us of the duty to protect client data.
Stories like this understandably attract attention. They also create anxiety, particularly among Australian small businesses that work closely with clients. Health providers, accountants, financial advisers and other professional services often wonder whether they face similar risks and whether they can realistically defend themselves.
Focus on due diligence
Most Australian client-facing businesses do not hold the same volume of information as a national psychotherapy provider. More importantly, they do not need perfect security. They need sensible security. Customers do not expect organisations to predict every threat or defeat every attacker. They expect organisations to take reasonable care.
The Vastaamo case highlights an important principle. Sensitive information deserves special consideration. Not every piece of information carries the same consequences. A leaked lunch order might prove embarrassing. A leaked counselling note, financial statement or family dispute could affect someone’s life for years.
That does not mean organisations should avoid collecting information. Businesses need information to operate. However, they should ask simple questions. Why do we hold this information? How long do we need it? Who genuinely requires access? Could we store less? These questions often improve security more effectively than expensive technology.
Small businesses sometimes assume that cyber resilience requires specialist teams and complex systems. In reality, many important safeguards are straightforward. Multi-factor authentication, backups, software updates, access controls and staff awareness provide a strong foundation. Organisations that understand their information and maintain clear procedures often achieve better outcomes than those that rely entirely on products and certifications.
The Vastaamo breach also reminds us that trust forms part of the service being delivered. Clients rarely separate privacy from professionalism. They expect confidentiality in the same way they expect competence, honesty and care. Protecting information therefore represents more than a technical obligation. It forms part of the relationship itself.
Australian businesses should remain alert. They should understand the sensitivity of the information they hold and review their practices regularly. Yet they should avoid panic. The lesson from Finland is not that disaster waits around every corner. The lesson is that trust matters, and trust grows from a series of ordinary decisions made consistently over time.
Good security does not require fear. It requires care. That standard remains demanding, but it remains entirely achievable for small businesses prepared to treat client information with the respect it deserves.
