If you’re a psychologist using digital tools in your practice, this article matters to you — a lot. In March 2026, a Spanish clinical management platform for psychologists suffered one of the most severe security breaches in the sector: over one million clinical notes were exposed, including complete transcriptions of therapy sessions, names, national ID numbers, and intimate patient details. The attacker demanded $300,000 in ransom. The root cause: two-factor authentication was optional.
This incident is not an isolated case. Spain is the second most attacked country in Europe in the healthcare sector. Mental health data is among the most valuable on the black market. But the solution is not going back to paper — it’s choosing the right tool.
1. What happened with a platform in the sector — and what we learn from it
In early March 2026, a cybercriminal posted on a hacker forum that they had extracted the complete database of a well-known management platform for psychologists based in Catalonia. They shared sample files from over 200 professionals as proof. The data included names, surnames, phone numbers, emails, national ID numbers, but also — and this is the most serious part — complete clinical notes and transcriptions of therapy sessions with extremely sensitive details: relationship problems, work stress, sexual disorders, family conflicts.
The affected company acknowledged the incident, activated its response protocol, reported to authorities, and notified the AEPD (Spanish Data Protection Agency). However, several cybersecurity experts and organisations such as ePrivacidad pointed out that the company downplayed the severity of the attack, describing the leaked data as “brief professional notes” when in reality they contained extensive transcriptions of complete sessions. Furthermore, the data was leaked without any encryption.
The most revealing detail? Two-factor authentication was an optional feature until the day of the attack. Only after the breach did it become mandatory for all users.
Lesson 1: 2FA should never be optional
On a platform handling health data, two-factor authentication must be mandatory from day one — not a reactive response to an incident.
Lesson 2: Promising security is not the same as implementing it
A website can claim anything. What matters is the actual system architecture: encryption, access controls, independent audits.
Lesson 3: Your patients' data is a special category
Under Article 9 of the GDPR, health data enjoys the highest level of legal protection. Its leakage can have devastating consequences for both patients and you as the data controller.
2. Your fears are legitimate, but they have solutions
Let’s be honest. We know that many psychologists feel a mix of distrust and overwhelm when it comes to technology and data protection. Studies from the Official College of Psychologists of Madrid confirm that data confidentiality and technical issues are among the top concerns for professionals regarding telepsychology.
45% of professionals who don’t use digital tools cite a lack of trust in online information security as their main reason.
2,400 weekly cyberattacks
The healthcare sector receives an average of 2,400 cyberattacks per week globally, 10% more than the previous year. link
Up to 20 million euros in fines
The AEPD can impose fines of up to 20 million euros or 4% of global turnover for very serious GDPR infringements. link
But here’s the paradox: paper and a physical diary don’t protect you more than a well-designed platform. A cabinet full of records can burn in a fire, be stolen, or be accessed by unauthorised people. link A digital platform with the right security measures offers encryption, access controls, automated backups, and complete traceability of who accesses what data and when.
The key is choosing wisely
The key is not avoiding technology. It’s choosing technology that takes security as seriously as you take your patients.
3. How HanaMind protects your practice data
At HanaMind, security is not an optional feature or a marketing slogan. It’s the foundation upon which the entire platform is built. These are the specific measures we implement:
Mandatory two-factor authentication
From day one — not as a response to an incident. Every time you access your account, you need to verify your identity with a second factor. Even if someone obtained your password, they couldn’t access your patients’ data. link
Encryption in transit and at rest
All communication is protected via TLS protocol (the same standard banks use). Stored data is encrypted with military-grade algorithms. Your patients’ information never travels or is stored in plain text.
Full GDPR and LOPDGDD compliance
Designed to comply with the European GDPR and Spain’s Organic Law 3/2018. We implement data minimisation, role-based access control, activity logging, and the ability to exercise data subject rights (access, rectification, erasure, portability).
Top-tier European infrastructure
Hosted in Hetzner data centres, a European provider certified ISO 27001, with redundancy, physical access controls, and independent audits. Your patients’ data never leaves Europe.
But there are two aspects of HanaMind that frequently raise questions and deserve a detailed explanation: video consultations via Google Meet and payments via Stripe.
4. “Google Meet is not secure for video consultations”: myth busted
This is one of the most widespread — and most unfounded — myths in the sector. The technical reality is exactly the opposite.
All Google Meet video calls are encrypted in transit by default, using DTLS and SRTP protocols, standards defined by the IETF (Internet Engineering Task Force), Google Support the same organisation that defines the fundamental protocols of the internet. This means the audio and video of your sessions travel encrypted from your device to Google’s servers and back to your patient’s device. Intercepting and decrypting that communication is computationally unfeasible with current technology.
End-to-end encryption
Google Drive recordings are encrypted at rest with AES 128-bit or higher. Google Meet offers end-to-end encryption (E2EE) for individual calls and client-side encryption (CSE) for Enterprise plans. link
Top-tier certifications
Google Workspace holds ISO 27001, 27017, 27018, and 27701 certifications, plus SOC 1, SOC 2, and SOC 3 audits. It complies with European GDPR and is compatible with HIPAA (the US healthcare regulation, even more stringent in certain aspects).
Google does not use Meet data for advertising, does not sell it to third parties, and does not store video or audio unless someone starts a recording.
A significant fact
Google Meet has never suffered a known security breach, unlike other video call platforms that have had documented problems (such as the “Zoombombing” phenomenon). Google Cloud’s security team has over 700 engineers dedicated exclusively to protecting its infrastructure.
When you use Google Meet integrated in HanaMind for your video consultations, you’re not choosing a “less secure” option. You’re choosing one of the most audited, certified, and robust platforms on the planet.
5. “Stripe is a third-party app, I don’t trust it”: why it’s exactly the opposite
Another recurring fear: “Why do my patients have to pay through a third party? Wouldn’t it be more secure to handle payments directly?” The short answer is no. The long answer explains why using Stripe is significantly more secure than any internal alternative.
Stripe is certified as PCI DSS Level 1, the highest and most demanding security level in the global payments industry. link Card numbers are encrypted with AES-256 (the most robust standard available) and stored in a completely isolated infrastructure. When your patient enters their payment details, these never pass through HanaMind’s servers: they go directly to Stripe, which returns a secure token. It is technically impossible for HanaMind to see, store, or leak the actual card data of your patient.
$1.9 trillion in annual transactions
Approximately 1.6% of global GDP. 90% of Dow Jones companies and 80% of Nasdaq 100 trust Stripe: Amazon, Google, Microsoft, NVIDIA, Shopify, BMW, Toyota. link
$2.3 billion in fraud blocked
Its AI-based fraud detection system analyses hundreds of signals per transaction and blocked $2.3 billion in fraudulent activity in 2025 alone.
Stripe has an entity incorporated in Europe (Stripe Payments Europe, Limited, in Ireland) with an EU electronic money licence, complies with the PSD2 directive and Strong Customer Authentication (SCA), and has a Data Processing Agreement that guarantees GDPR compliance.
Why is delegating payments more secure?
The irony of the “I don’t trust a third party” argument is that delegating payments to a specialist like Stripe reduces your attack surface. If you handled payments directly, you’d need to store card data on your servers, obtain your own PCI DSS certification (with annual audits costing between 50,000 and 200,000 euros), and maintain financial security infrastructure with resources that no startup or individual practice could afford. Stripe invests hundreds of millions of dollars a year in security so you don’t have to.
6. What you should demand from any clinical management platform
After the incident that shook the sector in March 2026, many professionals are wondering what criteria they should use to evaluate the security of their management tool. These are the measures that, according to the GDPR, the LOPDGDD, and industry best practices, should be considered essential — not optional:
Mandatory 2FA
Not optional, not “activatable if you want”. It’s the first line of defence against unauthorised access. link
TLS + AES-256 encryption
Data encryption in transit (TLS/HTTPS) and at rest (AES-256), so information never exists in plain text at any point in the system.
Demonstrable GDPR compliance
Including impact assessments, processing records, and data processing agreements with providers.
Encrypted backups
Automated and stored in separate locations with independent access controls.
- Traceability and audit of access to clinical data, to know who accessed what and when.
At HanaMind, all these measures have been implemented since the platform’s design. Not as patches after an incident, but as foundational principles.
7. Your responsibility as a professional, our responsibility as a platform
As a psychologist, you are legally the data controller for your patients’ data under the GDPR. This means that choosing technological tools is not a minor decision: it is a legal obligation. If the platform you use suffers a breach, you could also face legal consequences, from complaints to the AEPD to civil lawsuits for moral damages from your patients. link
We’re not telling you this to scare you. We’re telling you because we believe you deserve to make informed decisions. And because at HanaMind we’ve built every feature with the goal that you never have to worry about whether your patients’ data is protected. It is.
Puntos clave para recordar
The trust your patients place in you inside the consultation room deserves the same protection outside of it. HanaMind exists to guarantee exactly that.
Want to see for yourself how HanaMind protects your practice? Request a free demo and discover a platform where security is not a promise — it’s a technical guarantee.