Sometimes online therapists violate the confidentiality of their clients — and sometimes the field lacks adequate protections for the well-being of those clients. That, unfortunately, is one conclusion of an article we published recounting the facts of how a group of six self-proclaimed ‘experts’ in online therapy exposed confidential client information on a major web portal. The BACP has upheld our decision to publish this information, provided that the identifying details of relevant professional bodies and those responsible for violating client confidentiality are removed.
About the Censored Text
What follows is the full text of the article “Online Therapist Avoids Censure Over Breach of Client Confidentiality” originally published in November 2005, with the identifying details of practitioners and professional bodies removed. It was this article which led the group of online therapy ‘experts’ to lodge a complaint with the BACP alleging that I was out to get them, alleging that I had fabricated the whole episode in order to victimize the members of the group, and more. In my defence, I demonstrated that it was in fact the group of ‘experts’ who had lied repeatedly, and the BACP subsequently threw out most of the allegations against me. They did, however, rule that it was unfair for me to have published the actual names of those who violated client confidentiality and requested that I not re-publish this article until such identifying features had been removed. (The full details of the case brought against me, including a note on evidence that the group of practitioners lied to official bodies, are available separately: “BACP Asks That Names Be Removed from Published Account of Confidentiality Violation by Online Therapists”.)
In order that anyone with an interest in the matter will be able to examine the original document which elicited the complaint against me, I have left essentially all material intact and unaltered except for that which I have been asked to remove. Specifically, I have removed the identifying details of the mental health practitioners involved, as well as the details of the two professional bodies involved. Although the BACP decision did not request it, I have also removed the details of a third organization, a non-professional special interest group concerned with online mental health; it was this special interest group under whose auspices the group of practitioners were operating. I may have changed some gender references. Some specific material quoted from the ethics code of one of the professional organizations has also been removed, because it is publicly available on that organization’s website and thus might be used to identify the relevant body.
Note that the BACP’s decision does not place upon me any additional duty of confidentiality whatsoever with regard to reporting my experience of the incident or reporting the evidence demonstrating the violation of client confidentiality effected by the group of practitioners; nor does the BACP’s decision apply in any way whatsoever to any other material on this site except for the single article named in the decision. While I therefore do not owe the practitioners involved any special duty of confidentiality, per se, I do owe them fairness, and I owe the BACP full compliance with the specific details of their request — namely, the removal of personally identifying information. The BACP has clearly ruled that the material may be published with personally identifying features removed, and this article complies with that request, as did my complete removal of the original article.
Original Title and Abstract
Original Title: Online Therapist Avoids [censored organization] Censure Over Breach of Client Confidentiality
Original Abstract: Following a six-month preliminary investigation, the [censored organization] has decided not to open a formal ethics case against [censored location] psychologist [censored name] regarding an incident in which confidential client information was unwittingly published on a publicly accessible website. According to evidence provided with the complaint, when notified of the security lapse, [censored name] destroyed the database of nearly 500 messages exchanged by the [censored group] Group but declined to inform clients. Do adequate safeguards exist for protecting client interests from the mistakes of online mental health professionals?
Summary of the Case
In April 2005, complaints were filed simultaneously with the [censored organization] and the [censored location] State [censored organization] providing a large volume of evidence that during the period September 2004 to March 2005, an online [censored group] group, used by members of the [censored organization] to discuss confidential therapeutic work with clients, was left completely unsecured and open to the public as a result of the actions of [censored location] licensed psychologist [censored name]. (As a result of the [censored organization] filing, to my knowledge all facts reported here about the case are now a matter of public record in the state of [censored location].)
The matter was turned over to official bodies only after exhaustive efforts had been made in private, directly with [censored name], to ensure that any affected clients would be informed that their confidential information had been published in a fashion to which they had not consented. Unfortunately, these efforts elicited sustained personal abuse and legal threats from [censored name], who declined to consider notifying any client that a security lapse had occurred and who ultimately refused to discuss the matter any further. [censored name] did, however, take the unusual step of destroying all evidence of the online discussion group’s existence — a step which did at least serve the purpose of protecting against further confidentiality violations via that same avenue.
What Does the [censored organization]‘s Dismissal of the [censored name] Case Mean?
It is important to understand that in terms of the practicalities of its normal functioning, the [censored organization]‘s Ethics Committee does not operate in any way analogously to a court of law, and taking a complaint to the Ethics Committee is not an appropriate step for anyone interested in attributing ‘guilt’ or ‘innocence’. Among the many differences which distinguish it from a court of law, Ethics Committee proceedings occur entirely behind closed doors, and a strong asymmetry is enforced so that, for example, those bringing complaints are not permitted to know how the practitioner who is the subject of the complaint responds, or to address those responses in any way. Indeed, those bringing complaints are not even permitted to know any details of the [censored organization]‘s final decisions.
Rather than seeking to determine guilt or innocence, inviting the involvement of the [censored organization] Ethics Committee is instead primarily a means of incentivising a practitioner to do the right thing, where ‘the right thing’ is described by the [censored document] and its [censored document]. Involvement of the committee provides an incentive to do the right thing because a practitioner can short-circuit the entire process of an ethics investigation very quickly by simply agreeing to correct the situation. As publicly indicated, one of the most common causes for the dismissal of a complaint is [censored quotation] — agree to correct the violations, and the case is over.
The complete list of the most common causes for dismissal includes:
- [censored quotation]
- [censored quotation]
- [censored quotation]
- [censored quotation]
- [censored quotation]
Given that [censored name] himself repeatedly acknowledged the seriousness of the security lapse — and indeed initially even expressed gratitude that the matter had been brought speedily to his attention — and given that [censored name] himself judged it to be so serious as to merit the complete erasure of all evidence of the group’s activities, it would appear that we can safely set aside the possibility that the complaint was simply erroneous and not supported by a preponderance of evidence (numbers 3 and 4). Likewise, there is no question whatsoever that publishing confidential client information on a publicly accessible website is prohibited by the [censored document] (number 1). We are therefore left with numbers 2 and 5 above, suggesting that either the [censored organization] considered it to be a minor point that clients be informed of potential violations of their confidentiality, or [censored name] eventually agreed to correct the situation.
It took 6 months to get there, but we can only hope that the eventual outcome really was a correction of the situation.
So What Exactly Happened?
I’ll describe here, as best I can, the facts which led to the ethics complaint being filed. I emphasize the word facts, because I will recount here only the actual events which are 100% supported by evidence, and which I have personally experienced. I will set aside any speculations as to motivations on the part of practitioners involved.
[censored organization] [censored group] Group
The [censored organization] has operated a [censored group] Group for several years. For the first 8 months or so of the group’s existence, the group carried on a significant volume of discussion via a dedicated Yahoo! Groups discussion list, although group members report that activity dwindled after that initial period. This can be verified via the publicly accessible home page for that discussion group. Note that while this home page is publicly accessible, membership in the list is required to view any messages contained in the group’s archive. This point is very important for understanding what I will describe below.
[Editor’s Note: Within 48 hours of this article’s first appearance, the security settings for the old [censored group] Group discussion list home page, linked above, were altered to prevent the group from being found via the simple search described below.]
In September 2004, a new effort was made to re-ignite the activity of the [censored group] Group, and a new Yahoo! Groups discussion list was set up. A few months later, the group produced a [censored document], written “[censored quotation]” and offering “[censored quotation]“. Like all the other [censored organization] groups on Yahoo!, this one was easy to locate by simply typing ‘[censored quotation]‘ into the ‘Find a Group’ search box at the main Yahoo! Groups page. What was different about this new group, however, was that it was immediately obvious the group’s message archive was completely open to the public. Since the group (called [censored group]) was subsequently erased by [censored name], you won’t be able to verify this yourself now, but a screen shot is available of the discussion group’s home page as it looked in March 2005. At the right side of the page, you can read the group settings:
- Listed in directory
- Open membership
- Messages do not require approval
- All members may post messages
- Message archive viewable by public
There can be no doubt whatsoever that under these settings, the group’s traffic was fully open to the public. Note also the prominent RSS logo displayed in the middle of the group’s page: this means that summaries of group messages were available globally to news aggregators and to anyone with a newsreader.
Notifying [censored name] and the [censored group] Group — and the Response
At the time, the [censored organization] [censored group] Group included the following practitioners:
- [censored name] — of [censored website].com
- [censored name] — of [censored website].com
- [censored name] — of [censored website].co.uk and [censored website].com
- [censored name] — of [censored organization] University
- [censored name] — of [censored website].com
- [censored name]
Upon discovery of the fact that the [censored organization] [censored group] Group discussion area was completely open to the public, in March 2005, a message was sent to all the members of the group notifying them of the situation:
Dear [censored group] members,
I appreciate that many of you are probably on holiday/vacation right now. (I am too.) Nonetheless, I am writing to all of you at once, as well as to the separate ‘owner’ address of your Yahoo! group, to ask that you consider taking urgent action to remedy a problem which I believe you will agree is severe.
Your Yahoo! discussion group for [censored group], and all 497 messages it contains, is configured to allow full public access to all group traffic. This appears to have been the case for the last half a year. All of your messages to one another — including all of your verbatim quotations of client emails, and all of your discussions of those client emails — are available to any casual visitor who cares to read them. In addition, the group’s activities are routinely broadcast by Yahoo! across the globe, via RSS, to any newsreader ‘tuned’ to the group’s RSS feed.
Unfortunately, there is no practical way to ascertain just how many members of the general public (including your clients) may have read some or all of your messages.
For the avoidance of doubt, I will be especially direct: this has nothing whatsoever to do with ‘hackers’, or ‘security breaches’, or ‘software bugs’. This is just basics. No malicious intent of any kind is required for a user to begin reading your full message history. No special technical competence or arcane tools are required to identify the problem. Every person who ever browses through the ‘mental health’ section of Yahoo! groups, or visits the group’s home page, or uses any web-based function of the group, will immediately see the group labelled as ‘public’.
Please consider taking immediate action to shut down full public access to your discussion area.
Initially, it was not clear that [censored name] fully understood the situation. [censored name] claimed that Yahoo! must have unilaterally made all groups open to the public, without notifying their owners. He indicated that he had just gone to reset the group’s security settings, and claimed that the group was in fact closed, and that it was not, nor had it ever been, listed in the Yahoo! Groups directory. He made several references to search engine bots and to Google. He did say thank you for having been notified of the situation.
Unfortunately, a simple check after [censored name] had gone to configure the group settings indicated that in fact the group was still completely open to the public. It was also still listed in the Yahoo! Groups directory, although this fact was utterly irrelevant to the problem at hand (as were the activities of Google or search engine bots). Vast numbers of other closed groups were still listed, indicating that, contrary to [censored name]‘s claim, Yahoo! had not made any unilateral moves to alter security settings across the board.
Shortly thereafter, [censored name] indicated that the entire [censored group] Group had discussed the matter, and not one of them had been able to replicate the experience of so easily gaining unauthorized access to the group, despite trying very hard.
At this point, [censored name] once again acknowledged the seriousness of the situation, and [censored name] strongly emphasized how important it was that I tell no one else of the situation, because significant harm might well be caused to clients, should any other web surfers access the Yahoo! Group and read the private and confidential discussions of the [censored group] Group.
The simple steps required for a casual surfer to find and access the group were then explained once again to [censored name] and his colleagues. Recall, all that was required to access the group was to type ‘[censored quotation]‘ into the main Yahoo! Groups home page, click on the resulting listing for the group, and start browsing through their messages. Having had the problem carefully explained once more, [censored name] might have simply tried again to get the discussion group’s parameters set correctly, so as to restrict access to the material to members of the group. Instead, [censored name] took the extraordinary step of erasing all evidence that the group had ever existed on Yahoo!
Subsequent discussion deteriorated markedly. [censored name] had been urged to inform clients, and possibly the [censored organization], whose name the group bears, of the security lapse — after all, it was [censored name] who himself highlighted the harm which might come to clients, should anyone else discover the group’s material — but this suggestion was met with lengthy invective and verbal abuse, which do not bear repeating here. (Note that any client of any of the group members could potentially have suffered the exposure of confidential information, but since [censored name] was the only person ever to reply to my emails, the discussion remained focused specifically on whether [censored name] himself was willing to inform clients.)
The final state of things, as [censored name] saw them, was made clear in one final message in which [censored name] insisted that he represented all group members, who he reported had unanimously asked him to speak on their behalf:
- [censored name] highlighted the collective century of clinical experience of the 6 members of the group;
- [censored name] denied that the Yahoo! Group had ever been accessible to any member of the public;
- [censored name] reasserted that all clients had given informed consent to have their material discussed; given [censored name]‘s denial that any security lapse had ever taken place, the question of informed consent to having their material discussed in public was repeatedly avoided;
- [censored name] accused me of criminal activity, slander, libel, lying, hacking, grossly unprofessional behaviour, verbal abuse, fabrication, distortion, disregard for collegial civility, intentional mis-statement, and pure fantasy, as well as asserting that my behaviour had been a threat to both clients and clinicians;
- [censored name] stated that the [censored organization] [censored group] Group had nothing more to say to me.
So ended direct discussion with the [censored organization] [censored group] Group regarding the publicly accessible nature of their Yahoo! Group discussion area and the possibility of informing any affected clients that their confidential material may have been viewed by members of the general public.
Making the [censored organization] [censored group] Group Complaint Formal
The response I’ve described above from [censored name] — and, according to [censored name], from all his colleagues, acting unanimously — made it clear to me that there was no other option but to pass the matter to relevant professional bodies: client material had been unwittingly exposed in a way contrary to the consent which clients had given, yet they were not being told about it. (If clients really had given consent to having their material discussed in public, then obviously there would have been no need for evidence to have been destroyed, and there would have been no sense whatsoever to [censored name]‘s claim that clients could be harmed as a result of other web surfers accessing the group.)
Confidential advice from senior members of the field, including in my own professional organization, the British Association for Counselling and Psychotherapy, reinforced this clarity and highlighted the possibility that it may be unethical for me not to take the matter further. Regrettably, I found myself writing to the relevant professional bodies within a matter of weeks, providing evidence that included:
- Full records of how the Yahoo! Group was reached,
- Full evidence that the Yahoo! Group had in fact been completely open to the public until shortly before it was destroyed by [censored name],
- Full details of all 497 emails contained within the publicly accessible Yahoo! Group, and
- Full records of all emails exchanged with [censored name] regarding the incident.
Reporting in this way on the behaviour of a fellow mental health professional was the single most unpleasant task I have ever undertaken in this field, but one in which I apparently had little choice, given [censored name]‘s chosen response to the situation.
In addition to the [censored organization], material was sent to the [censored organization]. After losing the documents, then finding them, then not being sure of whether they’d found them all, that office’s cursory investigation — including mostly unsigned sentence fragments and occasional whole sentences sent to me via email — appeared to focus on the question of whether confidential information was still being disclosed. Since that had never been a subject of any dispute, their ‘investigation’ was wrapped up very quickly; from what I understand, the question of withholding information from clients about past risks to their confidentiality was of no concern to them.
Involvement of the [censored organization] Board
As an historical side note, my interaction with the [censored organization] regarding the matter was…um…illuminating.
I contacted [censored organization] President [censored name] in confidence for her advice regarding the matter, but she refused to discuss it with me, broke confidence, and immediately turned the matter over to the full [censored organization] Board of Directors, specifically including [censored name] himself (as well as [censored group] Group member [censored name]). [censored name] had previously briefed the [censored organization] President about the situation anyway, and the entire board swiftly brought itself in to render judgement.
Although one might expect that [censored name] (and his [censored group] colleague) would recuse themselves from any board deliberations regarding an alleged ethical violation in which they themselves were involved — or that the board as a whole might detect an air of conflict of interest in such an arrangement — this did not prove to be the case. Instead, the full board of 10 members immediately returned their judgement that the [censored organization] membership should not be told of the incident, and that the board had not received any credible evidence to substantiate the allegation that the discussion material had been made publicly accessible. Obviously, the board had actually made it flatly impossible for themselves to receive any such evidence by refusing to communicate with me, but this fact was not mentioned in the board’s judgement. The board went even further, accusing me of unethical behaviour for forwarding evidence of [censored name]‘s actions to the [censored organization]. The ‘rationale’ for this accusation? They reportedly believed that my providing the [censored organization] with copies of the [censored group] Group traffic which [censored name] destroyed violated the usage guidelines for the (completely unrelated!) main [censored organization] members’ discussion list as well as the usage guidelines of the [censored group] itself, a group of which I have never been a member nor ever sought to become a member. In other words, the [censored organization] Board of Directors took the position that no evidence (which, of course, they believed didn’t exist anyway) should ever have been provided to the [censored organization]. In addition to [censored name], [censored name], and [censored name], other members of the board that delivered the judgement included [censored name], [censored name], [censored name], [censored name], [censored name], [censored name], and [censored name].
In fairness, the [censored organization] has no formal ethics procedures or complaints procedures of any kind, so when a situation arises indicating that [censored organization] member may be placing client welfare at risk via a sanctioned [censored organization] activity, the organization’s board of directors can invite themselves to become involved and hand out judgements in any way they see fit.
Public Interest, Politics and the Forgotten Client
No doubt it will be obvious that I am actually a big proponent of high quality, professionally run online mental health services. After all, I operate one of the most visited sites on the web that is dedicated specifically to counselling and psychotherapy, and I operate my own online therapy and online counselling service. I’m presently coming up for around 800,000 words logged of email-based counselling and therapy, and I certainly wouldn’t be doing that if I didn’t believe in it! (For what it’s worth, that’s reportedly a larger single-practitioner evidence base of actual clinical experience with the modality than you will find referenced in any published research on the topic — even if it didn’t take me a ‘century of experience’ to accomplish it. See the two earlier articles about some online practitioners’ apparent penchant for misrepresenting their actual online clinical experience by reporting it in years: “How Much Online Therapy Really Goes On? Part 1”.)
Moreover, I have no wish to go about ‘scare-mongering’ and arousing unnecessary worry among members of the general public.
Finally, I also would rather like to get along with fellow professionals in the field, and I am all too aware that in terms of the field’s politics, being known as the guy who brought an ethics case (a dismissed one, no less!) against a self-proclaimed ‘grandfather of the field’ is not the greatest way to get along. What better way to get yourself excluded from polite conversation than being the guy who couldn’t just shut up about it and let the experts and their century of collective experience get on with it?
Nonetheless, it seems to me there are some important take-home points here, and I believe it would be overwhelmingly contrary to the public interest for the five points below to remain covered up by the actions of individuals and organizations who have so far been involved in the matter. If there are any lessons to be learned from this incident and the way it was ultimately resolved (or, perhaps, not resolved), that learning will certainly not occur as a result of continuing to withhold information about it. Among the take-home points from which we may be able to learn something:
- A large body of evidence suggests that the [censored organization] [censored group] Group unwittingly made confidential client discussions available to people who had not been authorized by the clients concerned.
- Mechanisms and behaviours in place at the [censored organization] [censored group] Group were inadequate to prevent this lapse from occurring, and once it did occur, served primarily to safeguard the interests of [censored name] and his colleagues; protection of clients from further disclosures of confidential information occurred as an incidental side effect of an unnecessarily drastic action (destruction of evidence) and could have been achieved by merely updating a simple security setting.
- Mechansims and behaviours in place within the [censored group] Board of Directors served primarily to safeguard the interests of [censored name], the [censored group] Group, and the [censored organization] status quo; these mechanisms and behaviours actively prevented the consideration of actual evidence concerning the situation and restricted the flow of information to [censored organization] members about events within their own organization. The board’s accusations levelled at the ethics of my own behaviour were made in such a way as to ensure that they could not be debated or even made the subject of a reply.
- Mechanisms in place at the [censored organization], which took 6 months to deliver their ‘dismissal’, remain obscure, as the [censored organization] offers complainants no details regarding the potential resolution of situations prompting their dismissal of a complaint.
- Mechanisms in place at the relevant state level appeared altogether ineffectual at addressing the underlying ethical issues highlighted by the evidence provided to them, and focused instead on legalistic questions such as whether the confidentiality violation was ongoing.
In addition, it is worth noting that bringing professional oversight to the situation required that I — as a single individual practitioner — act repeatedly against my own best interests, subjecting myself to prolonged invective and ridicule from the practitioner involved and even accusations from [censored organization] board acting in the absence of factual evidence. Should there be a better way for such matters to be handled, which doesn’t require individual practitioners to run themselves through the mill?
But what seems to me to be left out of all this is…you guessed it…the clients.
Has what I surmised at the beginning — namely, that [censored name] at last agreed to inform any affected clients — actually come to pass? Have any other members of the [censored organization] [censored group] Group informed any of their affected clients? Or, in unanimously supporting [censored name]‘s choice of response, do they simultaneously agree that significant harm could come to clients were the material to be found by members of the public, and also believe that no clients should be informed that members of the public may have done exactly that?
For the last half a year, probably something over two dozen different ‘professionals’ and ‘experts’ have occupied themselves in one way or another with the details of a security lapse which may have resulted in confidential client information being seen by members of the public, yet not a single one of those clients may even have been told about it. I very much appreciate the importance of natural justice for [censored name], I appreciate the importance of refraining from unnecessary public scare-mongering, and I appreciate that individuals and organizations sometimes can’t help but act to protect their own interests. But is it in the public interest — or the interest of the field itself — to withhold information about such a serious and potentially damaging situation?
In my personal opinion, the bottom line here is very simple. We all make mistakes, sometimes pretty serious ones. What matters most is not the fact that we make them, but how we choose to deal with them. Anybody, with any degree of skill (or lack of it), can make a truly awful mistake. What requires real talent is taking the bull by the horns, accepting responsibility for our mistakes, and doing our best to make things right with the people who have been affected by those mistakes. I believe the general public and the field as a whole would be well served by a little more of that.
Epilogue — Supreme Irony
A bit of supreme irony about this whole affair managed to escape my memory until just today.
Over a year ago, when discussions were first occurring about launching a new [censored group], I actually suggested that any new [censored group] being set up should consider using encrypted email. I specifically highlighted the risk of keeping historical archives of unencrypted messages for extended periods of time on a third party server operated by Yahoo! and argued that Yahoo! Group discussion lists should no longer be used for [censored group] traffic, unless messages were encrypted.
However, [censored name] — like [censored name], [censored organization] founder — took offense that a comparative newcomer such as myself should make any such suggestions about how a case study group should be operated. [censored name] adamantly disagreed and shot me down in flames, arguing that encryption was too hard to use, and that if Yahoo! Groups had been working just fine for the last 5 years, there was no reason not to continue using them for confidential traffic. Although to my knowledge [censored name] has never actually been in clinical practice (either online or offline), his judgements on such matters appear to be accepted uncritically by many who have been, and I let the matter drop (but privately resolved that whatever anyone else chose to do, I personally would not take such a risk with client welfare).
In retrospect, if the suggestion of a comparative newcomer had been taken more seriously, and if the view hadn’t prevailed that using encryption was too hard, perhaps none of this would ever have happened. After all, if the publicly accessible [censored organization] [censored group] Group archives had been encrypted archives, it wouldn’t have mattered a jot who saw them, since their contents would have remained inaccessible, and client confidentiality would have been guaranteed.
Live and learn — I hope.
All clinical material on this site is peer reviewed by one or more clinical psychologists or other qualified mental health professionals. This specific article was last reviewed or updated by Dr Greg Mulhauser, Managing Editor on .