[Hamuko]

How do you link a person's medical history to a person without personally identifiable information?

[Indy9000]

Medical history has to be only meaningful between doctor and patient. Doctor can keep records under a unique ID which patient is given at the start of sessions and the patient presents it at each session to validate the relationship. In the event of a breach, even when all data is exposed, without tracking the unique ID back to a person (which would be difficult or impossible) the harm is little.. (Imagine reading a story of a person but you don't know who that person is..)

You might say that there would be other person names and places in mentioned in the records and from that network and timeline you may be able to deduce the identity.. but these PII can in turn be depersonalised. And also this is not scalable for widespread damage.

It just need a bit of thinking when designing a system. Frankly any org that ask for PII and doesn't have a well thought out way to store them should be heavily penalised.

That's what the law should do standardised methods of storing sensitive data.

[astura]

There's a third party involved here, the payer. The payer (according to tfa mainly Finnish Social Security (Kela) here) needs to know what they are paying for and on who's behalf. You can't just conduct medical treatment pseudo-anonymously like that.

That's ignoring the fact almost nobody will accept having to keep track of an "alphanumeric ID" to get treatment.

[blackbrokkoli]

The payer does not have to know content of therapy session though. Just have two databases and practice good separation of concerns.

John Doe | Street 1234 | Therapy | 6 Units | $12,367

That is way less interesting information than what we are discussing here...

[freeflight]

> The payer does not have to know content of therapy session though. Just have two databases and practice good separation of concerns.

A lot of detailed information is often required for the payer to green-light the actual treatment, at least in Germany.

Ideally the payer also wants/needs to keep track of what was already done and for what reasons.

Even if you keep all of that to a minimum, you still end up with a fair bit of meta-data that allows for rather detailed insights.

[Indy9000]

I think a third party or minimum number of parties can be included in this trust network for exchange of information. Where as now (if the data gets public) there's no restriction.

This may not be the status quo of the medical system. But I'm willing to bet it wasn't conceived and put in place when breaches like this could happen frequently and the consequences were damning. Overhaul of the process is required. Just keep paying the Ransom/Hackers is not the only and meaningful solution.

[rebuilder]

>Doctor can keep records under a unique ID which patient is given at the start of sessions and the patient presents it at each session to validate the relationship.

Now the doctor is unable to verify the identity of the patient.

[chrisseaton]

> but these PII can in turn be depersonalised

It turns out this is not as easy as you think it is.