Fig. 2: Classes of privacy threats without the need for personal data (de-identified datasets).

a Identity Disclosure. Linkage Attacks combine multiple online datasets to infer identity. Aggregated datasets include publicly reported statistical data. Artificial Intelligence can be trained to infer identity from historically ‘non-identifiable’ data such as raw ECGs, chest X-rays or other data. b Attribute and Membership Disclosure. Attribute disclosure can reveal if a patient record has a feature such as alcohol use or a disease, without revealing their precise identity. Membership Inference Attack (MIA) can identify if an individual is present in a dataset, which could be a list of patients who are HIV positive or have not paid their bills. Differencing attacks operate on sequentially released data, to infer the presence of an individual if they are present in one version yet missing in another.