Abstract: Methods and systems to de-identify a longitudinal dataset of personal records based on journalistic risk computed from a sample set of the personal records, including determining a similarity distribution of the sample set based on quasi-identifiers of the respective personal records, converting the similarity distribution of the sample set to an equivalence class distribution, and computing journalistic risk based on the equivalence distribution. In an embodiment, multiple similarity measures are determined for a personal record based on comparisons with multiple combinations of other personal records of the sample set, and an average of the multiple similarity measures is rounded. In an embodiment, similarity measures are determined for a subset of the sample set and, for each similarity measure, the number of records having the similarity measure is projected to the subset of personal records. Journalistic risk may be computed for multiple types of attacks.

Abstract: A data anonymization pipeline system for managing holding and pooling data is disclosed. The data anonymization pipeline system transforms personal data at a source and then stores the transformed data in a safe environment. Furthermore, a re-identification risk assessment is performed before providing access to a user to fetch the de-identified data for secondary purposes.

Abstract: Methods and systems to de-identify a longitudinal dataset of personal records based on journalistic risk computed from a sample set of the personal records, including determining a similarity distribution of the sample set based on quasi-identifiers of the respective personal records, converting the similarity distribution of the sample set to an equivalence class distribution, and computing journalistic risk based on the equivalence distribution. In an embodiment, multiple similarity measures are determined for a personal record based on comparisons with multiple combinations of other personal records of the sample set, and an average of the multiple similarity measures is rounded. In an embodiment, similarity measures are determined for a subset of the sample set and, for each similarity measure, the number of records having the similarity measure is projected to the subset of personal records. Journalistic risk may be computed for multiple types of attacks.

Abstract: A data anonymization pipeline system for managing holding and pooling data is disclosed. The data anonymization pipeline system transforms personal data at a source and then stores the transformed data in a safe environment. Furthermore, a re-identification risk assessment is performed before providing access to a user to fetch the de-identified data for secondary purposes.

Abstract: Methods and systems to de-identify data records, including to merge pairs of clusters data records of individuals until a number of data records of each cluster meets a minimum size threshold, de-identify the clusters when each cluster meets the minimum size threshold, assess a risk of re-identification of the de-identified clusters based on k-anonymity, increase the minimum size threshold and re-perform the merge, the de-identify, and the assess a risk, if the assessed risk does not meet a risk criterion, and present the de-identified clusters on a display when the assessed risk meets the risk criterion.

Abstract: Longitudinal data can be synthesized by first generating baseline characteristics and first event values for a plurality of synthetic individuals. The baseline characteristics and first event values are used to synthesize a plurality of subsequent events.

Abstract: The present disclosure is related to a method of geo-clustering of data for de-identification of a dataset. The method includes generating a plurality of geoclusters based on a plurality of geocodes. The geocodes may include ZIP codes or postal codes. The method further includes identifying the geoclusters having the smallest population. The geocluster having the smallest population is iteratively merged with the nearest geocluster until a minimum population threshold is met. Once the smallest geocluster meets the minimum population threshold, the plurality of geoclusters can be used to cluster the geocodes within a dataset to be de-identified.

Abstract: Methods and systems to de-identify a longitudinal dataset of personal records based on journalistic risk computed from a sample set of the personal records, including determining a similarity distribution of the sample set based on quasi-identifiers of the respective personal records, converting the similarity distribution of the sample set to an equivalence class distribution, and computing journalistic risk based on the equivalence distribution. In an embodiment, multiple similarity measures are determined for a personal record based on comparisons with multiple combinations of other personal records of the sample set, and an average of the multiple similarity measures is rounded. In an embodiment, similarity measures are determined for a subset of the sample set and, for each similarity measure, the number of records having the similarity measure is projected to the subset of personal records. Journalistic risk may be computed for multiple types of attacks.

Abstract: A risk of re-identifying a particular individual associated with a record in a dataset can be assessed by synthesizing a dataset from a dataset to be shared and then sampling a synthetic microdata dataset from the synthetic dataset. The synthetic dataset and the synthetic microdata dataset can then be used to estimate the risk of re-identifying an individual from the dataset to be shared.

Abstract: A system, method and computer readable memory for determining journalist risk of a dataset using population equivalence class distribution estimation. The dataset may be a cross-sectional data set or a longitudinal dataset. The determine risk of identification can be determined and used in de-identification process of the dataset.

Abstract: Synthetic data may be used in place of an original dataset to avoid or mitigate disclosure risks pertaining to information of the original dataset. Synthetic data may be generated by optimizing a variable ordering used by a sequential tree generation method. The loss function used in optimizing may be based on a distinguishability between the source data and generated synthetic data.

Abstract: Although synthetic data synthesized from real sample data may not have a direct matching between synthetic data and individuals, there may still be a risk with identity disclosure. The identity disclosure risks associated with fully synthetic data may be assessed.

Abstract: A data anonymization pipeline system for managing holding and pooling data is disclosed. The data anonymization pipeline system transforms personal data at a source and then stores the transformed data in a safe environment. Furthermore, a re-identification risk assessment is performed before providing access to a user to fetch the de-identified data for secondary purposes.

Abstract: There is provided a system and method executed by a processor for estimating re-identification risk of a single individual in a dataset. The individual, subject or patient is described by a data subject profile such as a record in the dataset. A population distribution is retrieved from a storage device, the population distribution is determined by one or more quasi-identifying fields identified in the data subject profile. An information score is then assigned to each quasi-identifying (QI) value of the one or more quasi-identifying fields associated with the data subject profile. The assigned information scores of the quasi-identifying values for the data subject profile are aggregated into an aggregated information value. An anonymity value is then calculated from the aggregated information value and a size of a population associated with the dataset. A re-identification metric for the individual from the anonymity value is then calculated.

Abstract: A method includes receiving an initial dataset. Each record of the initial dataset comprises a set of quasi-identifier attributes and a set of non-quasi-identifier attributes. A processor assigns a link identifier to each record and replaces each set of quasi-identifier attributes with a range to form a generalized set. The processor removes duplicate records based on identical generalized sets to generate de-duplicated records. The processor generates a randomized record by replacing the generalized set of each de-duplicated record with a corresponding set of random values. The processor passes the set of random values of each randomized record through multiple hash functions to generate multiple outputs. The multiple outputs are mapped to a Bloom filter. The processor forms a dataset by combining each randomized record with one or more sets of non-quasi-identifier attributes. The set of random values is a fingerprint for a corresponding record of the dataset.

Abstract: A computer-implemented system and method to reduce re-identification risk of a data set. The method includes the steps of retrieving, via a database-facing communication channel, a data set from a database communicatively coupled to the processor, the data set selected to include patient medical records that meet a predetermined criteria; identifying, by a processor coupled to a memory, direct identifiers in the data set; identifying, by the processor, quasi-identifiers in the data set; calculating, by the processor, a first probability of re-identification from the direct identifiers; calculating, by the processor, a second probability of re-identification from the quasi-direct identifiers; perturbing, by the processor, the data set if one of the first probability or second probability exceeds a respective predetermined threshold, to produce a perturbed data set; and providing, via a user-facing communication channel, the perturbed data set to the requestor.

Abstract: System and method to produce an anonymized cohort, members of the cohort having less than a predetermined risk of re-identification. The system includes a user-facing communication interface to receive an anonymized cohort request comprising traits to include in members of the cohort; a data source-facing communication channel to query a data source, to find anonymized records that possess at least some of the requested traits; and a processor programmed to carry out the instructions of: forming a dataset from at least some of the anonymized records; calculating a risk of re-identification of the anonymized records in the dataset based upon the data query; perturbing anonymized records in the dataset that exceed a predetermined risk of re-identification, until the risk of re-identification is not greater than the pre-determined threshold, to produce the anonymized cohort; and providing, via a user-facing communication channel, the anonymized cohort.

Abstract: A method includes receiving an initial dataset. Each record of the initial dataset comprises a set of quasi-identifier attributes and a set of non-quasi-identifier attributes. A processor assigns a link identifier to each record and replaces each set of quasi-identifier attributes with a range to form a generalized set. The processor removes duplicate records based on identical generalized sets to generate de-duplicated records. The processor generates a randomized record by replacing the generalized set of each de-duplicated record with a corresponding set of random values. The processor passes the set of random values of each randomized record through multiple hash functions to generate multiple outputs. The multiple outputs are mapped to a Bloom filter. The processor forms a dataset by combining each randomized record with one or more sets of non-quasi-identifier attributes. The set of random values is a fingerprint for a corresponding record of the dataset.

Abstract: In longitudinal datasets, it is usually unrealistic that an adversary would know the value of every quasi-identifier. De-identifying a dataset under this assumption results in high levels of generalization and suppression as every patient is unique. Adversary power gives an upper bound on the number of values an adversary knows about a patient. Considering all subsets of quasi-identifiers with the size of the adversary power is computationally infeasible. A method is provided to assess re-identification risk by determining a representative risk which can be used as a proxy for the overall risk measurement and enable suppression of identifiable quasi-identifiers.

Abstract: There is provided a system and method executed by a processor for estimating re-identification risk of a single individual in a dataset. The individual, subject or patient is described by a data subject profile such as a record in the dataset. A population distribution is retrieved from a storage device, the population distribution is determined by one or more quasi-identifying fields identified in the data subject profile. An information score is then assigned to each quasi-identifying (QI) value of the one or more quasi-identifying fields associated with the data subject profile. The assigned information scores of the quasi-identifying values for the data subject profile are aggregated into an aggregated information value. An anonymity value is then calculated from the aggregated information value and a size of a population associated with the dataset. A re-identification metric for the individual from the anonymity value is then calculated.