Ray from Excess Return hosted the 169th Cavalcade of Risk this week - be sure to stop by and check it out. In the "heads up" category, there's a good post from David Williams, reminding readers that when healthcare data is hacked, the thieves are most likely interested in social security numbers and credit card info, rather than medical records. He points out that medical offices don't need SSNs, and that patients shouldn't feel uncomfortable refusing to have their SSNs added to their files. Years ago, when we were new to the health insurance industry, I remember that some of the individual health insurance carriers in Colorado used SSNs as full or partial policy ID numbers. That all changed several years ago and carriers switched to assigned ID numbers. With more of a push towards all digital medical records, there are valid concerns about data theft. But ID numbers used by medical offices and health insurance carriers can and should be encrypted or assigned, without use of a social security number.
As David pointed out, we really don't need to be too worried about our medical data being stolen. Medical identity theft is increasingly a problem, but that generally happens when someone attempts to steal an insured's identity in order to receive healthcare under the victim's health insurance policy. Again, no theft of sensitive medical records, but a significant problem. Data security absolutely needs to be a priority as we transition to electronic medical records. But for the most part, the problems are not what people think of first (sensitive medical data being compromised), but rather, theft of credit card numbers and social security numbers, as well as people who try to fraudulently use another person's health insurance coverage.