Privacy preserving data publishing of electronic health record (EHRs) for 1 to M datasets with multiple sensitive attributes (MSAs) is an interesting and challenging issue. There is always a trade-off between privacy and utility in data publishing. Most of the privacy-preserving models shows critical privacy disclosure issues and, hence, they are not robust in practical datasets. The k-anonymity model is a broadly used privacy model to analyze privacy disclosures, however, this model is only useful against identity disclosure. To address the limitations of k-anonymity, a group of privacy model extensions have been proposed in past years. It includes a p-sensitive k-anonymity model, a p+-sensitive k-anonymity model, and a balanced p+-sensitive k-anonymity model. However these privacy-preserving models are not sufficient to preserve the privacy of end-users in practical datasets. In this paper we have formalize the behavior of an adversary which perform identity and attribute disclosures on balanced p⁺-sensitive k-anonymity model with the help of adversarial scenarios. Since balanced p⁺-sensitive k-anonymity model is not sufficient for 1 to M with MSAs datasets privacy preservation. We propose an extended privacy model called “1: M MSA-(p, l)-diversity” for 1: M dataset with MSAs. We then perform formal modeling and verification of the proposed model using High-Level Petri Nets (HLPN) to confirm privacy attacks invalidation. Experimental results show that our proposed “1: M MSA-(p, l)-diversity model” is efficient and provide enhanced data utility of published data.

具有多个敏感属性（MSA）的1到M数据集的电子健康记录（EHR）的隐私保护数据发布是一个有趣且具有挑战性的问题。在数据发布中，隐私和实用程序之间总是要权衡取舍。大多数隐私保护模型都显示了关键的隐私披露问题，因此，它们在实际数据集中并不可靠。该ķ -anonymity模型是一种广泛使用的隐私模型分析隐私披露，但是，这种模式只是针对身份披露有用。为了解决k匿名性的局限性，在过去几年中已经提出了一组隐私模型扩展。它包括一个p敏感的k匿名模型，一个p +敏感的模型k-匿名模型和平衡的p +敏感k-匿名模型。但是，这些隐私保护模型不足以在实际数据集中保留最终用户的隐私。在本文中，我们已将对手的行为形式化，借助对手场景在平衡的p ^+-敏感k-匿名模型上执行身份和属性披露。由于平衡的p ⁺敏感的k-匿名模型不足以使用MSA数据集保护隐私，因此对于1到M是不够的。我们提出了一个扩展的隐私模型，称为“ 1：M MSA-（p，l）-diversity”表示1：具有MSA的M数据集。然后，我们使用高级Petri网（HLPN）对提出的模型进行正式建模和验证，以确认隐私攻击无效。实验结果表明，我们提出的“ 1：M MSA-（p，l）-多样性模型”是有效的，并且可以提高已发布数据的数据实用性。