Smartphone screen with a photo of a staircase going down

Photo by Jonas Lee on Unsplash

It was revealed recently that mental health pros who use an Android phone for their practices, and have also used Facebook Instant Messenger on that Android phone for some time, may have suffered a breach of privacy from Facebook that impacts clients. There could be a need to report this privacy breach to affected clients, and there’s a small chance it might also need to be reported to Health and Human Services.

We did some consulting with mental health counselor and HIPAA attorney, Eric Strom, to get guidance on this issue. Roy’s video conversation with Eric is below.

Knowing What Happened

Ars Technica reported recently that for some Android phone users who run Facebook Messenger, Facebook Messenger has been accessing the phone call and text message logs on their phones.

For those professionals so affected, Facebook may have retained records of calls and texts exchanged with some of their clients. These records contain client phone numbers and whatever name was given to them in the clinician’s contact book. So we know that these records identify the clients being communicated with.

Finding Who Was Affected

You can download a copy of all the data that Facebook has collected about you. Facebook provides instructions for doing that here. We recommend that everyone who thinks they might have been affected by this incident download their data and see if there is any client information in it.

  1. If you use an Android phone to call or text clients, and have (or previously had) Facebook Messenger installed on it, your clients may have been impacted. You can check for sure by downloading your Facebook data and looking for client information in it.
  2. If you have never called or texted clients with an Android phone on which Facebook Messenger was installed, this did not impact your clients.
  3. If you never opted in to allow Facebook Messenger to access the contact book on your Android phone, this might not have impacted your clients.
  4. iPhones are not affected at all by this particular issue.

Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Hushmail Image

Roy with coffee mugRoy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.

If you discover that logs of calls or texts with clients are, in fact, in your Facebook data, then it would be wise to take some action to prevent more data gathering by Facebook going forward. Preventing more data gathering is likely as simple as deleting Facebook Messenger (if not all Facebook apps) from your Android phone.

You can also request that Facebook remove call, text, and contact data from your account. Instructions are here. Do note, however, that some journalists report that these requests don’t seem to be consistently honored. So check to make sure your request was completed before assuming that call and text logs have been removed from your Facebook data.

Reporting the Incident

If you discover any client call or text logs in your Facebook data, it would be wise to tell any affected clients about their presence in those logs. There is also a small chance that you might need to report this incident to the federal Department of Health and Human Services.

This is where many therapists are likely to have a lot of questions. So instead of worrying alone, we decided to contact mental health counselor and attorney, Eric Strom, to help answer questions and provide guidance. Following is Roy’s interview with Eric on the topic. If you prefer to read rather than watch, you can click the button below the video to view a transcript of it. Some resources for following up on this incident are below the video!


We are having a LIVE REPLAY of our 1-hour CE presentation on HIPAA-compliant risk analysis, which is a process we use to help us avoid incidents like this one. CE credit is free for all. It will be on April 26th at 3PM Pacific / 6PM Eastern. Get more info and register here.

1) We have a free article that describes how HIPAA breach notification works. Find it here.

2) Download your full set of personal data held by Facebook using the instructions here.

3) Get call, text, and contact info removed from your Facebook personal data using the instructions here.

4) The Person Centered Tech membership includes multiple levels of risk management support and tools to help mental health professionals stop these kinds of incidents before they start. Click here to check it out.



Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss