FTC report on use of social security numbers: I've stated over and over, the biggest problem with medical data theft/loss is the fact that the information can be used for fraud, ID theft, or related evils, not that the medical part of the information could be used for any value (other than the California snoopin'/celebrity issues). Part of that problem is that we, as a society and an economy, use Social Security Numbers as the primary personal identifier. Since they must be used for most financial transactions to verify the identity of the participant, they tend to be used by healthcare providers (who in most instances are involved in high-value financial transactions with their patients) as primary identifiers.
HIPAA required the development of a personal identifier for each individual patient/participant in the healthcare industry (unique patient identifier, or UPI), but while identifiers for plans and providers were fairly easily completed, the personal identifier has hopelessly stalled, mainly on the back of privacy concerns. If someone finds out your UPI, they can access all of your medical information, and that scares the privacy paranoids. Unfortunately, that leaves us with the patient's SSN effectively serving as their UPI; if someone discovers your SSN, theoretically they can access all of your medical information AND all of your financial information, too.
Healthcare isn't unique in using SSNs this way. The Federal Trade Commission has issued a report on the use of SSNs, and in ways to limit the damage of widespread use of SSNs. Development of UPIs would help. I understand the concerns of the privacy paranoids, but really, using UPIs would actually help, by reducing the use of SSNs, which frankly are much bigger problems.