LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Walk through a concrete re-identification by linking: how can an "anonymized" health record reveal that a named person has diabetes?

By combining the anonymized record's quasi-identifiers (34, female, ZIP 12345) with a public voter roll that lists names alongside the same fields — only "Anna" matches, so we learn Anna has diabetes.

An anonymized health record and a public voter roll link on shared quasi-identifiers; only Anna matches.

* Linking an anonymized health record to a public voter roll re-identifies Anna. *

The two datasets:

  • Dataset A — anonymized health data: { Age 34, Female, ZIP 12345, Disease: Diabetes } (the name was removed before release)
  • Dataset B — public voter register: { Name: Anna, Age 34, Female, ZIP 12345 }, plus Bernd and Claudia with different attributes

The three steps:

  1. Combine the attributes — the health record describes "a 34-year-old woman in ZIP 12345 with diabetes."
  2. Re-identify — in the voter roll, only Anna matches that age + gender + ZIP combination.
  3. Link — joining the two on the shared quasi-identifiers attaches Anna's name to the sensitive disease field.

Result: we now know Anna has diabetes — a sensitive fact she never disclosed — purely from one "anonymized" file and one public file.

Key lesson: this is exactly the attack Latanya Sweeney demonstrated at scale. Removing the name achieved nothing because the quasi-identifiers, cross-referenced with a public dataset, rebuilt the identity. Anonymization must account for what external data an attacker can link against.

Go deeper:

From Quiz: PRIVACY / Identities, Anonymity & Data Protection Goals | Updated: Jul 05, 2026