From theory to practice: Re-identification Challenge to test imaging data pseudonymization effectiveness

DICOM image pseudonymization is an effective measure to protect patient privacy and ensure compliance with the GDPR. However, no standardized methods guarantee the irreversible anonymization of DICOM images or provide evidence on the robustness of these procedures. Organizations such as NEMA propose pseudonymization profiles for DICOM metadata, but the risk to data protection is assumed by the entity responsible for pseudonymization, as the potential privacy risks associated with their use cannot be accurately assessed. In the Re-identification Challenge, the selected 68 participants were tasked with re-identifying 38 pseudonymized DICOM studies from multiple European acquisition sites, modalities and anatomical regions. The data were pseudonymized using the pseudonymization profiles developed in ChAImeleon1 and ProCancer-I2 European AI4HI projects. No participants were able to trace back the identity of the patients, demonstrating the effectiveness of these pseudonymization profiles. Despite minor vulnerabilities identified in areas such as free-text metadata, 3D reconstructions, and usability limitations, no successful re-identification occurred—even with monetary rewards offered to participants.