(no title)

If the "allowed" ICD code is linked to the public key, or in the worst case if the patient provides the disposable private key to the insurance for verification (along with PCI like rules forbidding this key to be stored, like credit card expiration date if I remember correctly) this couldn't happen.

It is gross negligence to keep these things together for longer than they need to be. Private data should be seen as a liability.