Personalized health analytics increasingly rely on population benchmarks to provide contextual insights such as ''How do I compare to others like me?'' However, cohort-based aggregation of health data introduces nontrivial privacy risks, particularly in interactive and longitudinal digital platforms. Existing privacy frameworks such as $k$-anonymity and differential privacy provide essential but largely static guarantees that do not fully capture the cumulative, distributional, and tail-dominated nature of re-identification risk in deployed systems. In this work, we present a privacy-preserving cohort analytics framework that combines deterministic cohort constraints, differential privacy mechanisms, and synthetic baseline generation to enable personalized population comparisons while maintaining strong privacy protections. We further introduce a stochastic risk modeling approach that treats re-identification risk as a random variable evolving over time, enabling distributional evaluation through Monte Carlo simulation. Adapting quantitative risk measures from financial mathematics, we define Privacy Loss at Risk (P-VaR) to characterize worst-case privacy outcomes under realistic cohort dynamics and adversary assumptions. We validate our framework through system-level analysis and simulation experiments, demonstrating how privacy-utility tradeoffs can be operationalized for digital health platforms. Our results suggest that stochastic risk modeling complements formal privacy guarantees by providing interpretable, decision-relevant metrics for platform designers, regulators, and clinical informatics stakeholders.

翻译：个性化健康分析日益依赖群体基准来提供情境化洞察，例如“与相似人群相比，我的状况如何？”然而，基于队列的健康数据聚合会引入显著的隐私风险，在交互式和纵向数字平台中尤为突出。现有隐私框架（如k-匿名性和差分隐私）提供了必要但基本静态的保障，未能完全捕捉实际系统中重识别风险的累积性、分布性及尾部主导特性。本研究提出一种隐私保护队列分析框架，通过结合确定性队列约束、差分隐私机制与合成基线生成技术，在保持强隐私保护的同时实现个性化群体比较。我们进一步引入随机风险建模方法，将重识别风险视为随时间演化的随机变量，支持通过蒙特卡洛模拟进行分布评估。借鉴金融数学中的定量风险度量方法，我们定义了风险价值隐私损失（P-VaR），以刻画现实队列动态和攻击者假设下的最坏隐私情景。通过系统级分析与仿真实验验证了该框架，展示了如何为数字健康平台实现隐私与效用的权衡操作化。研究结果表明，随机风险建模通过为平台设计者、监管机构和临床信息学利益相关者提供可解释且与决策相关的度量指标，对形式化隐私保障形成了有效补充。