verifiable health intelligence
personalized health recommendations. your data never leaves your device. not a privacy policy. math.
the origin
i track everything, not out of obsession but out of curiosity: continuous glucose for more than a thousand days, sleep architecture every night, HRV, training load, the macros of nearly every meal. it is a strange kind of intimacy, this data. three years of glucose readings tell you when i sleep, when i eat, when i am stressed, when i am getting sick, and they map a metabolism with a precision that feels almost uncomfortable once you notice it.
last month i came within one click of giving all of it away. the app was beautiful, the onboarding effortless, and the promise was exactly what i wanted: upload your CGM data, get meal recommendations tuned to your own glucose responses. my finger was over "connect account" when i read the privacy policy. the company had been acquired twice in eighteen months, the current owner was a data broker i had never heard of, the retention was indefinite, and somewhere in paragraph 47 they reserved the right to share "de-identified" data with research partners. i closed the app.
here is the thing. i build these systems, so i know how valuable that data is and how fragile every promise around it turns out to be. the startup that swears to protect you today gets bought tomorrow by someone with different incentives, and the encryption that looks unbreakable still sits on a server whose keys somebody, somewhere, can reach. i have exactly the kind of longitudinal health data that would make a personalized model genuinely useful, and i will not hand it to anyone. which raises the obvious question: if i would not trust my own data to the systems i would build, why should anyone else?
you cannot secure what you collect
2024 was not an unusual year, it was the trend made visible. more than 276 million healthcare records were breached in the united states, roughly 81% of the population; the change healthcare ransomware attack alone exposed around 190 million people, and the average breach ran past ten million dollars. on the black market a medical history trades for many times the price of a credit card, for the simple reason that a card can be cancelled and a diagnosis cannot.
the pattern underneath those numbers is not carelessness, it is architecture. every health-AI company runs the same playbook: collect the data, store it centrally, run models against it, and promise to keep it safe. the promise fails not because the engineers are sloppy but because a central store of valuable data is a target by construction, and the more useful you make it, the bigger the target grows. the only data that cannot leak is the data you never hold.
proving without revealing
the traditional approach assumes you have to see the data to reason about it. you do not. a zero-knowledge proof lets you show that a statement is true while revealing nothing about why it is true. i can prove my average glucose response to carbohydrates sits in a healthy range without exposing a single reading; a patient can prove they meet a trial's criteria without surrendering their medical history; you can prove you are over eighteen without showing your birthday. the verification is mathematical and cannot be faked, yet it carries none of the underlying data with it.
this is not theoretical. zero-knowledge systems run in production today, settling billions in cryptocurrency transactions and verifying credentials inside enterprises. healthcare simply has not adopted them yet.
the math, briefly
a proof system has to satisfy three properties at once. completeness means a true statement will convince an honest verifier. soundness means a false statement will not, however the prover tries to cheat. and zero-knowledge means the verifier, once convinced, has learned nothing beyond the single fact in question. the third property is where the magic lives, because you walk away certain the claim is true and no wiser about anything else.
the engineering has moved through a few generations, and each one trades something away. groth16 produces tiny proofs that verify in milliseconds but needs a fresh trusted-setup ceremony for every circuit. PLONK introduced a universal setup, one ceremony for many circuits, at the cost of slightly larger proofs. STARKs drop the trusted setup entirely and are plausibly secure against a future quantum computer, though their proofs run to tens of kilobytes. for health verification i have been building on PLONK, because the universal setup avoids a per-circuit trust ceremony, the proofs stay small enough for a phone, and the tooling around circom and snarkjs is mature enough to lean on.
why anonymization is not the answer
the obvious objection is that we already have a fix: strip the names and share the data. we do not. anonymization tries to remove what identifies a person while keeping the data useful, and those two goals pull against each other. researchers have shown that 99.98% of americans can be re-identified from just fifteen demographic attributes, and "de-identified" datasets have been unmasked again and again, from browsing histories to medical records. the more useful a dataset is, the more it can be linked back to the people inside it. a zero-knowledge proof sidesteps the whole problem, because there is no anonymized dataset left to re-identify. there is only a proof about one specific claim, and a proof says nothing else.
what it makes possible
once you can prove a health fact without giving up the data behind it, a lot of things that are awkward today turn clean. patients can screen themselves for clinical trials without exposing their full history, so recruitment speeds up and privacy holds. an insurer can confirm eligibility without reading every detail. a model can return personalized recommendations based on characteristics it has verified but never actually seen. a european patient can prove their status to a US provider with no personal data crossing the border, only a proof. and someone can show they do or do not carry a genetic marker without anyone ever touching their genome.
the honest limits
i would rather name the hard parts than have them found. the cryptography is sound; the bottleneck is expressing health logic as arithmetic circuits, and a complex verification still takes fifteen to thirty seconds on a mid-range phone when interactive use needs it under two. not every computation fits efficiently into a circuit either, machine-learning models least of all. and a proof only attests to the data at the moment it was made, so freshness has to be designed in rather than assumed.
the harder limits are not technical at all. zero-knowledge protects data on the wire, not the device it lives on, and malware on a compromised phone can read the inputs before a proof is ever generated. the social risk runs the other way too: a tool that lets you voluntarily prove "i have no pre-existing condition" can quietly become a tool you are expected to use, which is the exact discrimination the rules were written to prevent. the math is neutral. the deployment needs guardrails, and pretending otherwise would be its own kind of dishonesty.
the point
the architecture of a health system decides its privacy long before any policy does. systems that pool data centrally will be breached, not because the people running them are careless but because a honeypot is a honeypot. the 276 million exposed records are evidence of a structural choice, not a run of bad luck.
zero-knowledge proofs offer a different choice: prove the claim, keep the data, and let the math do the work that promises cannot. the proving times are still too slow for real-time use, the circuits still demand specialist care, and the stakeholders still have to be taught to trust a guarantee they cannot see. but those are problems of engineering and education, not of principle. for the eighty-one percent of americans whose records were exposed last year, and for anyone who, like me, tracks everything and trusts no one with it, this is the only architecture that makes sense. health AI can be powerful and private at once, if we build it that way from the start.
references
- Goldwasser, S., Micali, S., Rackoff, C. (1989). The Knowledge Complexity of Interactive Proof Systems. SIAM Journal on Computing, 18(1).
- Groth, J. (2016). On the Size of Pairing-Based Non-Interactive Arguments. EUROCRYPT 2016.
- Ben-Sasson, E. et al. (2018). Scalable, Transparent, and Post-Quantum Secure Computational Integrity (STARKs). IACR ePrint.
- Gabizon, A., Williamson, Z., Ciobotaru, O. (2019). PLONK. IACR ePrint.
- iden3. (2024). circom 2.0 and snarkjs.
- HIPAA Journal. (2025). 2024 Healthcare Data Breach Report.
- Rocher, L., Hendrickx, J.M., de Montjoye, Y.-A. (2019). Estimating the success of re-identifications in incomplete datasets. Nature Communications, 10, 3069.
- HL7 International. (2019). HL7 FHIR R4 Specification.
- European Parliament. (2016). General Data Protection Regulation (GDPR).
last updated: Jun 2026