I think one important lesson from the recent big corporate health data hackings is that most of us don’t actually value health information privacy.
On the one hand, we would much rather be able to e-mail an ordinary e-mail to our doctor or health insurance company and get an ordinary, unencrypted e-mail back than to have to sign up for a secure service with an excellent, highly random password that we won’t actually remember.
See also: Don’t let clients take their passwords to the grave
We have no health information that’s really worth protecting. Maybe we had strep throat last year, or maybe we have high blood pressure and aren’t especially compliant about managing it. Big whoop-de-do.
Spending a lot of time and money protecting our health data privacy is pointless.
On the other hand, there are some people who really do need help protecting their health data privacy, because they’re celebrities who’ve had hair transplants, or people with well-controlled but potentially severe behavioral health problems that could conflict with the infamous weakness of the laws that allegedly protect workers with disabilities against discrimination.
On the third hand, the health care and health finance system are unable to devote much energy to protecting those people’s genuinely sensitive health information because they’re wasting so much time protecting the information about our strep throats.