Inferensys

Glossary

Linkage Attack

A privacy attack where an adversary cross-references a de-identified dataset with publicly available external datasets to re-identify individuals by matching shared quasi-identifiers.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
PRIVACY VULNERABILITY

What is a Linkage Attack?

A linkage attack is a data re-identification technique where an adversary cross-references a de-identified dataset with external, publicly available datasets to re-identify individuals by matching shared quasi-identifiers.

A linkage attack exploits the presence of quasi-identifiers—attributes like ZIP code, gender, and date of birth that are not unique on their own but become identifying when combined. By joining a de-identified medical dataset with a voter registration database or public census records, an attacker can triangulate a specific individual's identity, breaking the privacy guarantees of the de-identification process.

This attack vector is the primary reason the HIPAA Safe Harbor method mandates the removal of 18 specific identifiers. Mitigating linkage risk requires formal privacy models like k-anonymity or differential privacy, which mathematically bound the probability of successful re-identification even when an adversary possesses auxiliary information.

RE-IDENTIFICATION VECTORS

Key Characteristics of Linkage Attacks

Linkage attacks exploit the fundamental tension between data utility and privacy. By cross-referencing seemingly innocuous quasi-identifiers in de-identified datasets with external public records, adversaries can reconstruct identities with alarming precision.

01

Quasi-Identifier Exploitation

Quasi-identifiers are attributes that are not unique on their own but become identifying when combined. Common examples include:

  • Date of birth + ZIP code + gender (Latanya Sweeney's landmark demonstration identified 87% of the U.S. population using only these three fields)
  • Admission and discharge dates cross-referenced with public obituary records
  • Employer + occupation matched against LinkedIn profiles

The attacker does not need a name or Social Security number—they exploit the combinatorial uniqueness of residual attributes that were left intact to preserve analytical utility.

87%
U.S. population identifiable via ZIP, DOB, gender
3
Quasi-identifiers sufficient for re-ID
02

External Dataset Cross-Referencing

The attack's power derives from joining de-identified records with publicly available auxiliary datasets that contain overlapping attributes. Common external sources include:

  • Voter registration databases (name, address, DOB, party affiliation)
  • Property tax records (owner name, property address, sale price)
  • Commercial data brokers (aggregated consumer profiles with thousands of attributes)
  • Social media profiles (self-disclosed demographic and location data)

The attacker performs a deterministic join on shared columns, effectively reversing the de-identification by matching the quasi-identifier fingerprint to a known identity.

10K+
Commercial data broker attributes per individual
03

Record Linkage Algorithms

Attackers employ probabilistic and deterministic matching algorithms originally developed for legitimate data integration tasks:

  • Deterministic matching: Exact joins on shared identifiers (e.g., ZIP code + DOB)
  • Probabilistic matching: Fuzzy string comparison using Jaro-Winkler distance or TF-IDF cosine similarity to handle typos, abbreviations, and formatting inconsistencies
  • Blocking techniques: Partitioning datasets into blocks by high-certainty attributes (e.g., state) to reduce the computational complexity of all-pairs comparison
  • Supervised classification: Training models on known matches to predict linkage probability for candidate pairs

These techniques routinely achieve 95%+ precision when sufficient quasi-identifiers overlap between datasets.

95%+
Typical linkage precision
04

Composition Attack Variant

A composition attack occurs when an adversary combines multiple independently released de-identified datasets that all pertain to the same individuals. Each dataset alone may satisfy a privacy threshold, but their intersection reveals additional quasi-identifiers:

  • Dataset A: Demographics (age, gender, ZIP)
  • Dataset B: Medical encounters (diagnosis codes, procedure dates)
  • Dataset C: Pharmacy claims (drug names, fill dates)

By linking A, B, and C on shared attributes, the attacker constructs a comprehensive profile with enough granularity to uniquely identify individuals. This is the primary reason differential privacy frameworks account for cumulative information leakage across multiple releases.

3+
Datasets sufficient for composition attack
05

Temporal Inference Exploitation

Time-stamped data creates unique re-identification vectors because temporal sequences are highly individualistic:

  • Hospital admission/discharge timestamps matched against public social media check-ins or news reports of accidents
  • Lab test ordering sequences correlated with known clinical pathways that reveal condition onset windows
  • Pharmacy fill dates cross-referenced with insurance claims databases that contain precise transaction timestamps

Even when exact dates are shifted using a date shift algorithm, the relative intervals between events often remain intact to preserve clinical utility—and these interval patterns can serve as a distinctive fingerprint for re-identification.

< 1 week
Typical temporal resolution for re-ID
06

Genomic Re-identification

Genetic data presents a uniquely irreversible re-identification risk because DNA is inherently identifying:

  • Y-chromosome STR haplotypes matched against recreational genealogy databases (e.g., GEDmatch, FamilyTreeDNA) can identify male relatives and triangulate to the subject
  • SNP arrays containing hundreds of thousands of variants can be cross-referenced with direct-to-consumer testing databases
  • Even aggregate allele frequency data from genome-wide association studies has been shown to allow detection of an individual's participation in a study cohort

Unlike quasi-identifiers, genomic data cannot be meaningfully de-identified—it is the ultimate persistent identifier, making linkage attacks against genomic datasets particularly high-impact.

100%
DNA uniqueness (except identical twins)
LINKAGE ATTACKS

Frequently Asked Questions

Explore the mechanics, risks, and mitigation strategies for linkage attacks—the primary threat vector against de-identified clinical data.

A linkage attack is a privacy breach where an adversary cross-references a de-identified dataset with external, publicly available datasets to re-identify individuals by matching shared quasi-identifiers. The attack exploits the fact that while direct identifiers like names are removed, combinations of indirect attributes (e.g., date of birth, gender, and ZIP code) remain uniquely identifying. The attacker joins the two datasets on these common attributes, linking the sensitive medical record to a real-world identity. This demonstrates that removing 18 Safe Harbor identifiers is insufficient if the remaining data is not statistically assessed for uniqueness against the broader population.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.