Thousands of people have received brain scans, as well as cognitive and genetic tests, while participating in research studies. Though the data may be widely distributed among scientists, most participants assume their privacy is protected because researchers remove their names and other identifying information from their records.
But could a curious family member identify one of them just from a brain scan? Could a company mining medical records to sell targeted ads do so, or someone who wants to embarrass a study participant?
The answer is yes, investigators at the Mayo Clinic reported on Wednesday.
A magnetic resonance imaging scan includes the entire head, including the subject’s face. And while the countenance is blurry, imaging technology has advanced to the point that the face can be reconstructed from the scan.
Under some circumstances, that face can be matched to an individual with facial recognition software.
In a letter published in the New England Journal of Medicine, researchers at the Mayo Clinic showed that the required steps are not complex. But privacy experts questioned whether the process could be replicated on a much larger scale with today’s technology.
The subjects were 84 healthy participants in a long-term study of about 2,000 residents of Olmsted County, Minn. Participants get brain scans to look for signs of Alzheimer’s disease, as well as cognitive, blood and genetic tests.
Over the years, the study has accumulated over 6,000 M.R.I. scans. (Participants are not told the results of their tests.)
After the participants agreed to the experiment, a team led by Christopher Schwarz, a computer scientist at the Mayo Clinic, photographed their faces and, separately, used a computer program to reconstruct faces from the M.R.I.’s.
Then the team turned to facial recognition software to see if the participants could be correctly matched. The program correctly identified 70 of the subjects. Only one correct match would be expected by chance, Dr. Schwarz said.
Admittedly, he added, this was a fairly simple test. The facial recognition software only had to search through photos of 84 people, not thousands or millions.
But the fact that this was a straightforward test is “beside the point,” said Aaron Roth, computer scientist and privacy expert at the University of Pennsylvania.
“It is clear that eventually this will be a worrying attack” on stored medical data, he said.
The more likely abuse may be even easier than the method tested by the Mayo researchers, Dr. Roth said. Imagine that a bad actor already knew that a particular person was a study subject, and perhaps had some information regarding age and gender.
Under those circumstances, it should be far less difficult to find that person’s M.R.I. than to start with the scan and discover the subject’s identity. The task is “unfortunately reasonably straightforward,” Dr. Schwarz said.
The privacy threat is real, said Dr. Michael Weiner of the University of California, San Francisco.
Dr. Weiner directs a national study called the Alzheimer’s Disease Neuroimaging Initiative, which has enrolled 2,400 healthy people in an effort to find signs of dementia before a person shows symptoms.
With the publication of the research by the Mayo Clinic, he said, the initiative’s administrators will send letters to participating research centers informing them of the potential for privacy breaches.
The data in the study are stripped of identifying information, like participants’ names and Social Security numbers, but their M.R.I. scans do include faces. The only privacy protection for subjects so far has been the fact that researchers who want to access data from the study have to sign agreements saying that they will not try to identify participants.
“There have been millions of image downloads,” said Dr. Arthur Toga of the University of Southern California, whose group sends out M.R.I. scans and other data to researchers who request them from A.D.N.I. About 6,300 investigators have received study data, he said.
Dr. Weiner is himself a participant in that study, and his brain scans are included in the research data.
“My genetics are there,” he said. “All my tests are there. I bet there are a lot of images of me on the internet. You could match me to an A.D.N.I. subject code and look at all of my data.”
“The question is, what can we do now?”
The obvious way to fix the problem would be to remove faces from M.R.I. scans stored in databases. That process, though, blurs the image of the brain.
Also, fixing images in that way would not help protect the privacy of millions of subjects whose brain scans are already stored by A.D.N.I., the Mayo study and other large research projects.
Dr. Schwarz said his group is working on another solution, but declined to say what it is. Yves-Alexandre de Montjoye, a privacy researcher at Imperial College London, questioned whether an easy fix even is possible.
“If it doesn’t exist, that raises a lot of questions about how M.R.I. data is used,” he said. The Mayo group’s letter, he added, “is a good warning.”