Walk through a concrete re-identification by linking: how can an "anonymized" health record reveal that a named person has diabetes?
By combining the anonymized record's quasi-identifiers (34, female, ZIP 12345) with a public voter roll that lists names alongside the same fields — only "Anna" matches, so we learn Anna has diabetes.
* Linking an anonymized health record to a public voter roll re-identifies Anna. *
The two datasets:
- Dataset A — anonymized health data:
{ Age 34, Female, ZIP 12345, Disease: Diabetes }(the name was removed before release) - Dataset B — public voter register:
{ Name: Anna, Age 34, Female, ZIP 12345 }, plus Bernd and Claudia with different attributes
The three steps:
- Combine the attributes — the health record describes "a 34-year-old woman in ZIP 12345 with diabetes."
- Re-identify — in the voter roll, only Anna matches that age + gender + ZIP combination.
- Link — joining the two on the shared quasi-identifiers attaches Anna's name to the sensitive disease field.
Result: we now know Anna has diabetes — a sensitive fact she never disclosed — purely from one "anonymized" file and one public file.
Key lesson: this is exactly the attack Latanya Sweeney demonstrated at scale. Removing the name achieved nothing because the quasi-identifiers, cross-referenced with a public dataset, rebuilt the identity. Anonymization must account for what external data an attacker can link against.
Go deeper:
Data re-identification (Wikipedia) — the linkage-attack mechanism Sweeney demonstrated.