[astura]

There's a third party involved here, the payer. The payer (according to tfa mainly Finnish Social Security (Kela) here) needs to know what they are paying for and on who's behalf. You can't just conduct medical treatment pseudo-anonymously like that.

That's ignoring the fact almost nobody will accept having to keep track of an "alphanumeric ID" to get treatment.

[blackbrokkoli]

The payer does not have to know content of therapy session though. Just have two databases and practice good separation of concerns.

John Doe | Street 1234 | Therapy | 6 Units | $12,367

That is way less interesting information than what we are discussing here...

[freeflight]

> The payer does not have to know content of therapy session though. Just have two databases and practice good separation of concerns.

A lot of detailed information is often required for the payer to green-light the actual treatment, at least in Germany.

Ideally the payer also wants/needs to keep track of what was already done and for what reasons.

Even if you keep all of that to a minimum, you still end up with a fair bit of meta-data that allows for rather detailed insights.

[Indy9000]

I think a third party or minimum number of parties can be included in this trust network for exchange of information. Where as now (if the data gets public) there's no restriction.

This may not be the status quo of the medical system. But I'm willing to bet it wasn't conceived and put in place when breaches like this could happen frequently and the consequences were damning. Overhaul of the process is required. Just keep paying the Ransom/Hackers is not the only and meaningful solution.