DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The amendments filed on December 16, 2021 have been entered.
Claims 1, 15, 18, and 21 have been amended.

Response to Arguments
Applicant’s arguments filed on December 16, 2021 have been fully considered but are not persuasive.   

Applicant’s argument:
With regard to the § 103 rejection, Applicant traverses and submits that the cited references fail to disclose all of the features of the claims as previously presented. Notwithstanding this traversal, Applicant has chosen to amend the independent claims solely in order to clarify the claimed subject matter.
Applicant submits that the cited references fail to disclose at least the newly-added features of the independent claims.

Examiners’ response to the argument: 
The examiners respectfully disagree. Mensinger discloses that two or more third party applications are associated with the node network (Parag. [0041]; (The art teaches that the dedicated application to provide some or all of the body-worn medical device generated data and dedicated application generated data to other applications (e.g., third-party application(s)) resident on the smart phone or other communicatively connected computing system (i.e., network))). Also, Mensinger discloses wherein said at least one processing device is further configured: to assign, based at least in part on whether the first one of the set of two or more third party applications exhibits at least a threshold level of commonality with one or more other 2   ones of the two or more third party applications associated with the node network, a first set of one or more classes of capabilities to the first one of the two or more third party applications; to assign, based at least in part on whether the second one of the set of two or more third party applications exhibits at least the threshold level of commonality with one or more other ones of the two or more third party applications associated with the node network, a second set of one or more classes of capabilities to the second one of the two or more third party applications, the second set of one or more classes of capabilities being different than the first set of one or more classes of capabilities (Parag. [0125-0127] and Fig. 10; (The art teaches determining a level of compliance (i.e., threshold level) for a medical device and providing data relating to glucose levels to the medical device based on the level of compliance. The example of FIG. 10 illustrates a way to control the type of data that is provided to other applications based on the level of compliance (i.e., threshold level) of other applications. This ensures that the dedicated application provides data only to trusted applications, or provides a reduced set of data to certain application compared to others. The dedicated application determines a level of compliance (i.e., threshold level) of another application or a third-party requesting access to the data relating to glucose levels. The dedicated application can determine the level of compliance in a variety of manners. For example, dedicated application accesses a listing of applications stored in memory or online that indicates whether an application has been approved as a medical device by the Food and Drug Administration and, if so, a corresponding classification for the medical device. In another embodiment, the application may provide an indication of its classification and security level (i.e., one or more classes of capabilities) to the dedicated application. If the level of compliance for an application is high (i.e., first set of one or more classes of capabilities), such as a class III medical device, the dedicated application provides the glucose data to the application. For example, the dedicated application can provide the application with data relating to glucose levels in real-time. If, however, the level of compliance is lower (i.e., second set of one or more classes of capabilities being different than the first set of one or more classes of capabilities), such as when the application is not a medical device, the dedicated application provides data relating to glucose levels with restrictions. For example, the restrictions may include encrypting data, providing a reduced set of data, delaying data, or any combination of the embodiments previously described with reference to FIGS. 1-10. In both situations of providing data without .
In addition, the secondary art of LaFever discloses wherein said at least one processing device is further configured: to select the first and second pseudonyms based at least in part on the first set of one or more classes of capabilities assigned to the first one of the two or more third party applications and the second set of one or more classes of capabilities assigned to the second one of the two or more third party applications (Abstract, Parag. [0019-0023], Parag. [0185], and Parag. [0473-0474]; (The art teaches systems, computer readable media, and methods for improving both data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by unauthorized parties and enabling data, including quasi-identifiers, related to the data subject to be disclosed to any authorized party by granting access only to the data relevant to that authorized party's purpose, time period, place and/or other criterion via the obfuscation of specific data values. The art teaches use a first DDID at one time for a specific purpose pertaining to a first Data Subject, action, activity, process and/or trait, and then use a second DDID in association with the first Data Subject, action, activity, process and/or trait, for a different purpose. The art also teaches enabling the ability of Data Subjects to maintain flexible levels of privacy and/or anonymity under the control of a Data Subject or controlling entity that may be a trusted party. i.e., selecting the first and the second pseudonyms is based on the classification (trusted/untrusted) of third parties, and the related data subject to be disclosed to any authorized party is granted by providing only to the data relevant to that authorized party's purpose. The art also teaches that combined with the processes used to obfuscate data elements can then be separated into categorical or other types of classification schemas to determine various functions such as permitted uses and what level of permission entities need to have before using data. This process may also be applied to single or aggregated AMS scores. Aggregated AMS scores are the likelihood of multi data point re-identification expressed through AMS scores as compounded together to express the level of uniqueness of combined data points. As an example of a possible categorical classification schema, the AMS score could be broken into Categories A, B and C. Where category A is data with a single or aggregated score of 75 or more may be used only with current, express and unambiguous consent of the Data Subject. 

Claim Objections
Claims 1, 15, and 18 are objected to because of the following informality:

	Claim 1 	“to transmit at least a first portion of the received sensor data and the first computed predicate data to a first one of two or more third party applications associated with the node network” should read (Examiners’ suggestion) “to transmit at least a first portion of the received sensor data and the first computed predicate data to a first one of a set of two or more third party applications associated with the node network.” 

Claim 15	“transmitting at least a first portion of the received sensor data and the first computed predicate data to a first one of two or more third party applications associated with the node network” should read (Examiners’ suggestion) “transmitting at least a first portion of the received sensor data and the first computed predicate data to a first one of a set of two or more third party applications associated with the node network.”

Claim 18	“to transmit at least a first portion of the received sensor data and the first computed predicate data to a first one of two or more third party applications associated with the node network” should read (Examiners’ suggestion) “to transmit at least a first portion of the received sensor data and the first computed predicate data to a first one of a set of two or more third party applications associated with the node network.”  

Appropriate correction is required.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-9 and 11-21 are rejected under 35 U.S.C. 103 as being unpatentable over Mensinger et al. (Pub. No. US 2016/0232318), hereinafter Mensinger, in view of LaFever et al. (Pub. No. US 2018/0307859), hereinafter LaFever.

Claim 1. 	Mensinger discloses an apparatus comprising: 
at least one processing device comprising a processor coupled to a memory (Parag. [0051] and Fig. 1; (Computing device 106));  
said at least one processing device being configured: 
to receive sensor data from one or more nodes of a node network (Parag. [0036] and Parag. [0038-0039]; (The art teaches receiving glucose data from a continuous glucose sensor and controlling the use and redistribution of that data so it is used in an intended manner. Some ;  
to compute first and second predicate data based at least in part on the received sensor data (Parag. [0071-0072], Parag. [0076], and Parag. [0099-0101]; (The art teaches where the continuous glucose sensor unit transmits raw data values and the timestamps, the first application can convert the raw data values to a unit of measurement familiar to a user, such as mg/dL. The first application may be part of an approved medical device. The first application can control the type of data to provide to each third-party application. A third-party application may receive the same data as the dedicated application, or limited data such as with fewer data points, averaged data points, or an indication as to whether the glucose level is low, normal, or high without any specific data points. The first application separates that data into a first set and a second set according to a predetermined criteria, e.g., established controls. The established controls include, for example, rules for restricting access to a complete set of data for third-party applications, which may be based on user preferences or on default controls));  
to transmit at least a first portion of the received sensor data and the first computed predicate data to a first one of two or more third party applications associated with the node network; to transmit at least a second portion of the received sensor data and the second computed predicate data to a second one of the two or more third party applications (Parag. [0041], Parag. [0083], Parag. [0099-0101]; (The art teaches that the dedicated application to provide some or all of the body-worn medical device generated data and dedicated application generated data to other applications (e.g., third-party application(s)) resident on the smart phone or other communicatively connected computing system (i.e., network). The art teaches that the redistribution may be to one or more third-party applications running on the smart phone. The art teaches that the first application separates the received data into a first set of data and a second set of data. The first application divides the continuously generated glucose measurements into the first and second sets of data based on a predetermined criteria, e.g., such as a category or type of the data (e.g., which may be identified by a data field or metadata of the data), a timestamp of the data, a size of the data, a source of the data, or other factor associated with the received data. In some implementations of the exemplary method, the received data includes additional health or medical data, and the process includes the first application creating a set of data relating to the continuously generated glucose measurements ;  
to receive additional data from at least one of the first one of the two or more third party applications and the second one of the two or more third party applications responsive to at least one of the transmitted first and second portions of the received sensor data and at least one of the first and second computed predicate data; to generate a control signal based at least in part on the received sensor data, at least one of the first and second computed predicate data, and the received additional data from said at least one of the first one of the two or more third party applications and the second one of the two or more third party applications; and to transmit the control signal to at least one of the nodes of the node network (Parag. [0084] and Parag. [0145-0146]; (The art teaches that the first application separates that data into a first set and a second set according to a predetermined criteria, e.g., established controls. As illustrated in FIG. 1, third-party application 110 can provide a centralized way for a user to access health information. Display 106 can execute a plurality of applications relating to health information. Some examples include applications that track sleeping patterns, monitor food and caloric intake, track exercise, measure calories burned, monitor blood pressure, control and record insulin injections, monitor heart rate, monitor consumption of supplements and medicines, and others. These third-party applications, such as the third-party applications 114, 116, provide information to an approved third-party application 110 that stores health-related information for a user. The art teaches that the first application ;
wherein said at least one processing device is further configured: 
to assign, based at least in part on whether the first one of the set of two or more third party applications exhibits at least a threshold level of commonality with one or more other 2   ones of the two or more third party applications associated with the node network, a first set of one or more classes of capabilities to the first one of the two or more third party applications; to assign, based at least in part on whether the second one of the set of two or more third party applications exhibits at least the threshold level of commonality with one or more other ones of the two or more third party applications associated with the node network, a second set of one or more classes of capabilities to the second one of the two or more third party applications, the second set of one or more classes of capabilities being different than the first set of one or more classes of capabilities (Parag. [0125-0127] and Fig. 10; (The art teaches determining a level of compliance (i.e., threshold level) for a medical device and providing data relating to glucose levels to the medical device based on the level of compliance. The example of FIG. 10 illustrates a way to control the type of data that is provided to other applications based on the level of compliance (i.e., threshold level) of other applications. This ensures that the dedicated application provides data only to trusted applications, or provides a reduced set of data to certain application compared to others. The dedicated application determines a level of compliance (i.e., threshold level) of another application or a third-party requesting access to the data relating to glucose levels. The dedicated application can determine the level of compliance in a variety of manners. For example, dedicated application accesses a listing of applications stored in memory or online that indicates whether an application has been approved as a medical device by the Food and Drug Administration and, if so, a corresponding .
Mensinger doesn’t explicitly disclose wherein the first and second computed predicate data are associated with respective first and second pseudonyms configured to prevent the first one of the two or more third party applications and the second one of the two or more third party applications from combining the first and second portions of the sensor data to obtain designated information that a user has not permitted the first one of the two or more third party applications and the second one of the two or more third party applications to access; wherein said at least one processing device is further configured: to select the first and second pseudonyms based at least in part on the first set of one or more classes of capabilities assigned to the first one of the two or more third party applications and the second set of one or more classes of capabilities assigned to the second one of the two or more third party applications; and  wherein the first and second pseudonyms each comprise one of a first type of pseudonym that is the same for two or more sessions and a second type of pseudonym that is unique to a given one of the two or more sessions.
However, LaFever discloses: 
wherein the first and second computed predicate data are associated with respective first and second pseudonyms configured to prevent the first one of the two or more third party applications and the second one of the two or more third party applications from combining the first and second portions of the sensor data to obtain designated information that a user has not permitted the first one of the two or more third party applications and the second one of the two or more third party applications to access (Abstract, Parag. [0021-0023], and Parag. [0185]; (The art teaches systems, computer readable media, and methods for improving both data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by unauthorized parties and enabling data, including quasi-identifiers, related to the data subject to be disclosed to any authorized party by granting access only to the data relevant to that authorized party's purpose, time period, place and/or other criterion via the obfuscation of specific data values. The art teaches use a first DDID at one time for a specific purpose pertaining to a first Data Subject, action, activity, process and/or trait, and then use a second DDID in association with the first Data Subject, action, activity, process and/or trait, for a different purpose. The art teaches tracking and recording different DDIDs used by, and associated with, Data Subjects at different times with respect to various actions, activities, processes or traits thereby enabling the storage, selection and retrieval of information applicable to a specific action, activity, process or trait and/or a specific Data Subject. Conversely, the system may not enable third parties external to the system to effectively retain and aggregate data due to the use of multiple DDIDs and the lack of information available external to the system to determine relationships between and among DDIDs and/or Data Subjects, actions, activities, processes and/or traits; each DDID may be associated with any one or more data attributes to facilitate with respect to a specific action, activity, process or trait. A dynamic de-identifier DDID is a temporally-bounded pseudonym which both refers to and obscures the value of (i) a primary key referencing a Data Subject, action, activity, process and/or trait, (ii) the value of an attribute of that Data Subject, action, activity, process and/or trait, and/or (iii) the kind or type of data being associated with the Data Subject, action, activity, process and/or trait)); 
wherein said at least one processing device is further configured: to select the first and second pseudonyms based at least in part on the first set of one or more classes of capabilities assigned to the first one of the two or more third party applications and the second set of one or more classes of capabilities assigned to the second one of the two or more third party applications (Abstract, Parag. [0019-0023], Parag. [0185], and Parag. [0473-; and  
		wherein the first and second pseudonyms each comprise one of a first type of pseudonym that is the same for two or more sessions and a second type of pseudonym that is unique to a given one of the two or more sessions (Parag. [0024-0026] and Parag. [0397]; (The art teaches that in order for a cookie to serve as a DDID, the browser (serving as the client in this potential embodiment of the invention) may prevent any cookie submitted by the website .
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Mensinger to incorporate the teaching of LaFever. This would be convenient for improving data security, privacy, and accuracy, and, in particular, to using dynamically changing identifiers to render elements of data (Parag. [0003]). 
                       
                                                                                                                                                                                           
Claim 2. 	Mensinger in view of LaFever discloses the apparatus of claim 1, 
		Mensinger further discloses wherein said at least one processing device comprises one or more servers coupled to the node network (Parag. [0008]; (The art teaches that the redistribution may be to one or more third-party applications running on the smart phone, or to remote computing devices, such as a server or to a separate smart device)).  

Claim 3. 	Mensinger in view of LaFever discloses the apparatus of claim 1,  
Mensinger doesn’t explicitly disclose wherein said at least one processing device implements a central authority of the trusted party responsible for configuration and management of the node network.   
However, LaFever discloses wherein said at least one processing device implements a central authority of the trusted party responsible for configuration and management of the node network (Parag. [0019-0023] and Fig. 1C; (The art teaches enabling the ability of Data Subjects to maintain flexible levels of privacy and/or anonymity under the control of a Data Subject or controlling entity that may be a trusted party)).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Mensinger to incorporate the teaching of LaFever. This would be convenient for improving data security, privacy, and accuracy, and, in particular, to using dynamically changing identifiers to render elements of data (Parag. [0003]).

Claim 4. 	Mensinger in view of LaFever discloses the apparatus of claim 3, 
Mensinger doesn’t explicitly disclose wherein at least one of the first one of the two or more third party applications and the second one of the two or more third party applications executes in a trusted processing environment that is under a control of the trusted party.
However, LaFever discloses wherein at least one of the first one of the two or more third party applications and the second one of the two or more third party applications executes in a trusted processing environment that is under a control of the trusted party (Abstract, Parag. [0019-0023], Parag. [0185], and Fig. 1C-2; (The art teaches systems, computer readable media, and methods for improving both data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by .  
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Mensinger to incorporate the teaching of LaFever. This would be convenient for improving data security, privacy, and accuracy, and, in particular, to using dynamically changing identifiers to render elements of data (Parag. [0003]).

Claim 5. 	Mensinger in view of LaFever discloses the apparatus of claim 3, 
Mensinger doesn’t explicitly disclose wherein at least one of the first one of the two or more third party applications and the second one of the two or more third party applications executes in a non-trusted processing environment that is not under a control of the trusted party.
		However, LaFever discloses wherein at least one of the first one of the two or more third party applications and the second one of the two or more third party applications executes in a non-trusted processing environment that is not under a control of the trusted party (Parag. [0032]; (The art teaches that medical-related and other areas of research, Dynamic Anonymity will be more attractive than traditional approaches to "de-identification" that protect data privacy/anonymity by using a defensive approach--e.g., a series of masking steps are applied to direct identifiers and masking and/or statistically-based manipulations are applied to quasi-identifiers in order to reduce the likelihood of re-identification by unauthorized third parties (i.e., non-trusted))).  
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Mensinger to incorporate the teaching of LaFever. 

Claim 6. 	Mensinger in view of LaFever discloses the apparatus of claim 1, 
Mensinger doesn’t explicitly disclose wherein at least one of the first one of the two or more third party applications and the second one of the two or more third party applications comprises one or more software programs of a third party service provider. 
		However, LaFever discloses wherein at least one of the first one of the two or more third party applications and the second one of the two or more third party applications comprises one or more software programs of a third party service provider (Parag. [0734]; (The art teaches that a service provider is the controlling entity authorized to designate parties to whom select attribute combinations related to service provider clients are released)).  
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Mensinger to incorporate the teaching of LaFever. This would be convenient for improving data security, privacy, and accuracy, and, in particular, to using dynamically changing identifiers to render elements of data (Parag. [0003]).

Claim 7. 	Mensinger in view of LaFever discloses the apparatus of claim 1,  
		Mensinger further discloses wherein the node network comprises a sensor network that includes a set of sensor devices with at least one of the sensor devices being configured to generate the sensor data (Parag. [0158] and Fig. 18; (The art teaches that the user is employing multiple body-worn sensor and/or actuator devices that can provide health information relevant to glucose data monitored by the continuous glucose sensor unit)).  

Claim 8. 	Mensinger in view of LaFever discloses the apparatus of claim 7,
		Mensinger further discloses wherein the sensor network is deployed in at least one of an interior space and an exterior space of a building or other structure (Parag. [0038]; (The art teaches that the environment generally involves a networked system of one or more body-worn medical devices (i.e., worn inside and outside a building) that measure one or more health characteristics of a patient and/or administer one or more treatments to the patient communicating with electronic device(s). The monitored health characteristics can include the .  

Claim 9. 	Mensinger in view of LaFever discloses the apparatus of claim 1,  
Mensinger further discloses wherein computing the first and second predicate data based at least in part on the received sensor data comprises computing the first and second predicate data in accordance with one or more user-specified policies relating to access by the first one of the two or more third party applications and the second one of the two or more third party applications to information including or derived from the sensor data (Parag. [0071-0072], Parag. [0076], and Parag. [0099-0101]; (The art teaches where the continuous glucose sensor unit transmits raw data values and the timestamps, the first application can convert the raw data values to a unit of measurement familiar to a user, such as mg/dL. The first application may be part of an approved medical device. The first application can control the type of data to provide to each third-party application. A third-party application may receive the same data as the dedicated application, or limited data such as with fewer data points, averaged data points, or an indication as to whether the glucose level is low, normal, or high without any specific data points. The first application separates that data into a first set and a second set according to a predetermined criteria, e.g., established controls. The established controls include, for example, rules for restricting access to a complete set of data for third-party applications, which may be based on user preferences or on default controls)).  

Claim 11. 	Mensinger in view of LaFever discloses the apparatus of claim 1,  
Mensinger doesn’t explicitly disclose wherein computing the first and second predicate data based at least in part on the received sensor data comprises associating the first and second computed predicate data with the first and second pseudonyms that prevent the first one of the two or more third party applications and the second one of the two or more third party applications from determining an identifier of a source of the corresponding sensor data.  
wherein computing the first and second predicate data based at least in part on the received sensor data comprises associating the first and second computed predicate data with the first and second pseudonyms that prevent the first one of the two or more third party applications and the second one of the two or more third party applications from determining an identifier of a source of the corresponding sensor data (Abstract, Parag. [0021-0023], and Parag. [0185]; (The art teaches systems, computer readable media, and methods for improving both data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by unauthorized parties and enabling data, including quasi-identifiers, related to the data subject to be disclosed to any authorized party by granting access only to the data relevant to that authorized party's purpose, time period, place and/or other criterion via the obfuscation of specific data values. The art teaches use a first DDID at one time for a specific purpose pertaining to a first Data Subject, action, activity, process and/or trait, and then use a second DDID in association with the first Data Subject, action, activity, process and/or trait, for a different purpose. The art teaches tracking and recording different DDIDs used by, and associated with, Data Subjects at different times with respect to various actions, activities, processes or traits thereby enabling the storage, selection and retrieval of information applicable to a specific action, activity, process or trait and/or a specific Data Subject. Conversely, the system may not enable third parties external to the system to effectively retain and aggregate data due to the use of multiple DDIDs and the lack of information available external to the system to determine relationships between and among DDIDs and/or Data Subjects, actions, activities, processes and/or traits; each DDID may be associated with any one or more data attributes to facilitate with respect to a specific action, activity, process or trait. A dynamic de-identifier DDID is a temporally-bounded pseudonym which both refers to and obscures the value of (i) a primary key referencing a Data Subject, action, activity, process and/or trait, (ii) the value of an attribute of that Data Subject, action, activity, process and/or trait, and/or (iii) the kind or type of data being associated with the Data Subject, action, activity, process and/or trait)).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Mensinger to incorporate the teaching of LaFever. This would be convenient for improving data security, privacy, and accuracy, and, in particular, to using dynamically changing identifiers to render elements of data (Parag. [0003]).
Claim 12. 	Mensinger in view of LaFever discloses the apparatus of claim 1,  
Mensinger further discloses wherein computing the first and second predicate data based at least in part on the received sensor data further comprises computing the first and second predicate data in accordance with one or more compliance policies (Parag. [0071-0072], Parag. [0076], and Parag. [0099-0101]; (The art teaches where the continuous glucose sensor unit transmits raw data values and the timestamps, the first application can convert the raw data values to a unit of measurement familiar to a user, such as mg/dL. The first application may be part of an approved medical device. The first application can control the type of data to provide to each third-party application. A third-party application may receive the same data as the dedicated application, or limited data such as with fewer data points, averaged data points, or an indication as to whether the glucose level is low, normal, or high without any specific data points. The first application separates that data into a first set and a second set according to a predetermined criteria, e.g., established controls. The established controls include, for example, rules for restricting access to a complete set of data for third-party applications, which may be based on user preferences or on default controls)).  

Claim 13. 	Mensinger in view of LaFever discloses the apparatus of claim 1, 
Mensinger doesn’t explicitly disclose wherein computing the first and second predicate data based at least in part on the received sensor data comprises computing, from received sensor data that includes one or more explicit identifiers, anonymized predicate data that does not include the one or more explicit identifiers.
However, LaFever discloses wherein computing the first and second predicate data based at least in part on the received sensor data comprises computing, from received sensor data that includes one or more explicit identifiers, anonymized predicate data that does not include the one or more explicit identifiers (Abstract, Parag. [0021-0023], and Parag. [0185]; (The art teaches systems, computer readable media, and methods for improving both data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by unauthorized parties and enabling data, including quasi-identifiers, related to the data subject to be disclosed to any authorized party by granting access only to the data relevant to that authorized party's purpose, time period, place and/or other criterion via the obfuscation of specific data values. The art teaches use a first DDID at one time . 
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Mensinger to incorporate the teaching of LaFever. This would be convenient for improving data security, privacy, and accuracy, and, in particular, to using dynamically changing identifiers to render elements of data (Parag. [0003]).

Claim 14. 	Mensinger in view of LaFever discloses the apparatus of claim 13, 
Mensinger doesn’t explicitly disclose wherein the anonymized predicate data is indicative of at least one of an activity associated with a user within an area in which the sensor data was collected, and a classification of the user within the area
		However, LaFever discloses wherein the anonymized predicate data is indicative of at least one of an activity associated with a user within an area in which the sensor data was collected, and a classification of the user within the area (Parag. [0408]; (The art teaches that The blood pressure monitoring application (A) contacts a Trusted Party within a Circle of Trust (B) requesting a DDID for the Data Subject patient.  [0410] 2.  The CoT Trusted Party provides a DDID for the Data Subject.  [0411] 3.  An application operated by the Trusted Party sends back two sets of periodically-changing information (one for GPS data, one for blood pressure levels), each consisting of DDIDs, offsets (to obscure blood pressure level data and geographic position), and encryption keys; refreshed for each new time period)).
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Mensinger to incorporate the teaching of LaFever. This would be convenient for improving data security, privacy, and accuracy, and, in particular, to using dynamically changing identifiers to render elements of data (Parag. [0003]).  

Claim 15. 	Mensinger discloses a method comprising: 
receiving sensor data from one or more nodes of a node network Parag. [0036] and Parag. [0038-0039]; (The art teaches receiving glucose data from a continuous glucose sensor and controlling the use and redistribution of that data so it is used in an intended manner. Some ;  
computing first and second predicate data based at least in part on the received sensor data (Parag. [0071-0072], Parag. [0076], and Parag. [0099-0101]; (The art teaches where the continuous glucose sensor unit transmits raw data values and the timestamps, the first application can convert the raw data values to a unit of measurement familiar to a user, such as mg/dL. The first application may be part of an approved medical device. The first application can control the type of data to provide to each third-party application. A third-party application may receive the same data as the dedicated application, or limited data such as with fewer data points, averaged data points, or an indication as to whether the glucose level is low, normal, or high without any specific data points. The first application separates that data into a first set and a second set according to a predetermined criteria, e.g., established controls. The established controls include, for example, rules for restricting access to a complete set of data for third-party applications, which may be based on user preferences or on default controls)); 
transmitting at least a first portion of the received sensor data and the first computed predicate data to a first one of two or more third party applications associated with the node network; transmitting at least a second portion of the received sensor data and the second computed predicate data to a second one of the two or more third party applications (Parag. [0041], Parag. [0083], Parag. [0099-0101]; (The art teaches that the dedicated application to provide some or all of the body-worn medical device generated data and dedicated application generated data to other applications (e.g., third-party application(s)) resident on the smart phone or other communicatively connected computing system (i.e., network). The art teaches that the redistribution may be to one or more third-party applications running on the smart phone. The art teaches that the first application separates the received data into a first set of data and a second set of data. The first application divides the continuously generated glucose measurements into the first and second sets of data based on a predetermined criteria, e.g., such as a category or type of the data (e.g., which may be identified by a data field or metadata of the data), a timestamp of the data, a size of the data, a source of the data, or other factor associated with the received data. In some implementations of the exemplary method, the received data includes additional health or medical data, and the process includes the first application creating a set of data relating to the continuously generated glucose measurements ;  
receiving additional data from at least one of the first one of the two or more third party applications and the second one of the two or more third party applications responsive to at least one of the transmitted first and second portions of the received sensor data and at least one of the first and second computed predicate data; generating a control signal based at least in part on the received sensor data, at least one of the first and second computed predicate data, and the received additional data from said at least one of the first one of the two or more third party applications and the second one of the two or more third party applications; and transmitting the control signal to at least one of the nodes of the node network (Parag. [0084] and Parag. [0145-0146]; (The art teaches that the first application separates that data into a first set and a second set according to a predetermined criteria, e.g., established controls. As illustrated in FIG. 1, third-party application 110 can provide a centralized way for a user to access health information. Display 106 can execute a plurality of applications relating to health information. Some examples include applications that track sleeping patterns, monitor food and caloric intake, track exercise, measure calories burned, monitor blood pressure, control and record insulin injections, monitor heart rate, monitor consumption of supplements and medicines, and others. These third-party applications, such as the third-party applications 114, 116, provide information to an approved third-party application 110 that stores health-related information for a user. The art teaches that the first application ; 
wherein the method further comprises: 
assigning, based at least in part on whether the first one of the set of two or more third party applications exhibits at least a threshold level of commonality with one or more other ones of the two or more third party applications associated with the node network, a first set of one or more classes of capabilities to the first one of the two or more third party applications; assigning, based at least in part on whether the second one of the set of two or more third party applications exhibits at least the threshold level of commonality with one or more other ones of the two or more third party applications associated with the node network, a second set of one or more classes of capabilities to the second one of the two or more third party applications, the second set of one or more classes of capabilities being different than the first set of one or more classes of capabilities (Parag. [0125-0127] and Fig. 10; (The art teaches determining a level of compliance (i.e., threshold level) for a medical device and providing data relating to glucose levels to the medical device based on the level of compliance. The example of FIG. 10 illustrates a way to control the type of data that is provided to other applications based on the level of compliance (i.e., threshold level) of other applications. This ensures that the dedicated application provides data only to trusted applications, or provides a reduced set of data to certain application compared to others. The dedicated application determines a level of compliance (i.e., threshold level) of another application or a third-party requesting access to the data relating to glucose levels. The dedicated application can determine the level of compliance in a variety of manners. For example, dedicated application accesses a listing of applications stored in memory or online that indicates whether an application has been approved as a medical device by the Food and Drug Administration and, if so, a corresponding 7), a user may control preferences that determine which application should receive data and what set of data should be provided));
wherein the method is performed by at least one processing device comprising a processor coupled to a memory (Parag. [0051] and Fig. 1; (Computing device 106)). 
51815-5Mensinger doesn’t explicitly disclose wherein the first and second computed predicate data are associated with respective first and second pseudonyms configured to prevent the first one of the two or more third party applications and the second one of the two or more third party applications from combining the first and second portions of the sensor data to obtain designated information that a user has not permitted the first one of the two or more third party applications and the second one of the two or more third party applications to access; selecting the first and second pseudonyms based at least in part on the first set of one or more classes of capabilities assigned to the first one of the two or more third party applications and the second set of one or more classes of capabilities assigned to the second one of the two or more third party applications; wherein the first and second pseudonyms each comprise one of a first type of pseudonym that is the same for two or more sessions and a second type of pseudonym that is unique to a given one of the two or more sessions.



wherein the first and second computed predicate data are associated with respective first and second pseudonyms configured to prevent the first one of the two or more third party applications and the second one of the two or more third party applications from combining the first and second portions of the sensor data to obtain designated information that a user has not permitted the first one of the two or more third party applications and the second one of the two or more third party applications to access (Abstract, Parag. [0021-0023], and Parag. [0185]; (The art teaches systems, computer readable media, and methods for improving both data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by unauthorized parties and enabling data, including quasi-identifiers, related to the data subject to be disclosed to any authorized party by granting access only to the data relevant to that authorized party's purpose, time period, place and/or other criterion via the obfuscation of specific data values. The art teaches use a first DDID at one time for a specific purpose pertaining to a first Data Subject, action, activity, process and/or trait, and then use a second DDID in association with the first Data Subject, action, activity, process and/or trait, for a different purpose. The art teaches tracking and recording different DDIDs used by, and associated with, Data Subjects at different times with respect to various actions, activities, processes or traits thereby enabling the storage, selection and retrieval of information applicable to a specific action, activity, process or trait and/or a specific Data Subject. Conversely, the system may not enable third parties external to the system to effectively retain and aggregate data due to the use of multiple DDIDs and the lack of information available external to the system to determine relationships between and among DDIDs and/or Data Subjects, actions, activities, processes and/or traits; each DDID may be associated with any one or more data attributes to facilitate with respect to a specific action, activity, process or trait. A dynamic de-identifier DDID is a temporally-bounded pseudonym which both refers to and obscures the value of (i) a primary key referencing a Data Subject, action, activity, process and/or trait, (ii) the value of an attribute of that Data Subject, action, activity, process and/or trait, and/or (iii) the kind or type of data being associated with the Data Subject, action, activity, process and/or trait)); 
selecting the first and second pseudonyms based at least in part on the first set of one or more classes of capabilities assigned to the first one of the two or more third party applications and the second set of one or more classes of capabilities assigned to the second one of the two or more third party applications (Abstract, Parag. [0019-0023], Parag. [0185], and Parag. [0473-0474]; (The art teaches systems, computer readable media, and methods for improving both data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by unauthorized parties and enabling data, including quasi-identifiers, related to the data subject to be disclosed to any authorized party by granting access only to the data relevant to that authorized party's purpose, time period, place and/or other criterion via the obfuscation of specific data values. The art teaches use a first DDID at one time for a specific purpose pertaining to a first Data Subject, action, activity, process and/or trait, and then use a second DDID in association with the first Data Subject, action, activity, process and/or trait, for a different purpose. The art also teaches enabling the ability of Data Subjects to maintain flexible levels of privacy and/or anonymity under the control of a Data Subject or controlling entity that may be a trusted party. i.e., selecting the first and the second pseudonyms is based on the classification (trusted/untrusted) of third parties, and the related data subject to be disclosed to any authorized party is granted by providing only to the data relevant to that authorized party's purpose. The art also teaches that combined with the processes used to obfuscate data elements can then be separated into categorical or other types of classification schemas to determine various functions such as permitted uses and what level of permission entities need to have before using data. This process may also be applied to single or aggregated AMS scores. Aggregated AMS scores are the likelihood of multi data point re-identification expressed through AMS scores as compounded together to express the level of uniqueness of combined data points. As an example of a possible categorical classification schema, the AMS score could be broken into Categories A, B and C. Where category A is data with a single or aggregated score of 75 or more may be used only with current, express and unambiguous consent of the Data Subject. Category B may represent a single or aggregated AMS score of 40 to 74.9 that would mean the data set could be used with (i) current or (ii) prior express consent of the Data Subject. A Category C could represent a single or aggregated AMS score of 39.9 or lower which could allow for use of the data set without requiring consent of the Data Subject)); 
		wherein the first and second pseudonyms each comprise one of a first type of pseudonym that is the same for two or more sessions and a second type of pseudonym that is unique to a given one of the two or more sessions (Parag. [0024-0026] and Parag. [0397]; (The art teaches that in order for a cookie to serve as a DDID, the browser (serving as the client in this potential embodiment of the invention) may prevent any cookie submitted by the website from persisting between browsing sessions (e.g., by copying the user's cookies, cache and browsing history files to the anonymity system's servers and then deleting them off the user's computer), such that a new cookie may be assigned for each browsing session.  In this manner, the various cookies (in this example embodiment, serving as DDIDs representing separateness of identity of Data Subjects) issued by the website, while being created "externally" to the system, would each be unique and would not enable the website to remember stateful information or aggregate the Data Subject's browsing activity, since each of the browsing sessions would be perceived by the website as unrelated--thereby enabling the Data Subject to remain dynamically anonymous as long as desired, to the extent desired. Further, the art teaches that the system may be configured such that the assignment, expiration and/or recycling of any given DDID may occur based on any one or more of the following factors: (1) change in the purpose for which a DDID (and associated TDR) was created, e.g., association with a specific browsing sessions, Data Subject, transaction, or other purpose; (2) change in the physical location associated with a DDID (and associated TDR), e.g., upon exiting a physical location, upon arrival at a general physical location, upon arrival at a specific physical location, upon entering a physical location, or some other indicia of physical location; (3) change in the virtual location associated with a DDID (and associated TDR), e.g., upon entering a virtual location, upon changing a virtual location, upon exiting a virtual location, upon arrival at a specific page on a website, upon arrival at a specific website, or some other indicia of virtual location; and/or (4) based on temporal changes, e.g., at randomized times, at predetermined times, at designated intervals, or some other temporally based criteria.  As may be appreciated, DDIDs separate data from context because, external to the system, there is no discernable relationship between Pertinent Data, the identity of a Data Subject or related party or Context Data associated with different DDIDs and/or TDRs. Internal to the system, relationship information is maintained for use as authorized by Data Subjects and trusted parties/proxies)).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Mensinger to incorporate the teaching of LaFever. 

Claim 16 is taught by Mensinger in view of LaFever as described for claim 9.

Claim 17 is taught by Mensinger in view of LaFever as described for claim 11.

Claim 18. 	Mensinger discloses a computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs (Parag. [0051] and Fig. 1; (Computing device 106)), wherein the program code when executed by at least one processing device causes said at least one processing device: 
to receive sensor data from one or more nodes of a node network (Parag. [0036] and Parag. [0038-0039]; (The art teaches receiving glucose data from a continuous glucose sensor and controlling the use and redistribution of that data so it is used in an intended manner. Some embodiments control which applications will receive the data, provide security measures for maintaining the privacy of medical data)); 
to compute first and second predicate data based at least in part on the received sensor data (Parag. [0071-0072], Parag. [0076], and Parag. [0099-0101]; (The art teaches where the continuous glucose sensor unit transmits raw data values and the timestamps, the first application can convert the raw data values to a unit of measurement familiar to a user, such as mg/dL. The first application may be part of an approved medical device. The first application can control the type of data to provide to each third-party application. A third-party application may receive the same data as the dedicated application, or limited data such as with fewer data points, averaged data points, or an indication as to whether the glucose level is low, normal, or high without any specific data points. The first application separates that data into a first set and a second set according to a predetermined criteria, e.g., established controls. The established controls include, for example, rules for restricting access to a complete set of data for third-party applications, which may be based on user preferences or on default controls)); 
to transmit at least a first portion of the received sensor data and the first computed predicate data to a first one of two or more third party applications associated with the node network; to transmit at least a second portion of the received sensor data and the second computed predicate data to a second one of the two or more third party applications (Parag. [0041], Parag. [0083], Parag. [0099-0101]; (The art teaches that the dedicated application to provide some or all of the body-worn medical device generated data and dedicated application generated data to other applications (e.g., third-party application(s)) resident on the smart phone or other communicatively connected computing system (i.e., network). The art teaches that the redistribution may be to one or more third-party applications running on the smart phone. The art teaches that the first application separates the received data into a first set of data and a second set of data. The first application divides the continuously generated glucose measurements into the first and second sets of data based on a predetermined criteria, e.g., such as a category or type of the data (e.g., which may be identified by a data field or metadata of the data), a timestamp of the data, a size of the data, a source of the data, or other factor associated with the received data. In some implementations of the exemplary method, the received data includes additional health or medical data, and the process includes the first application creating a set of data relating to the continuously generated glucose measurements from which the first and second sets of data will be formed. Separating data relating to glucose levels for different applications. The amount and type of data provided to various applications can be restricted to ensure authorized uses of the medical data. The determination as to the amount and type of data to distribute can be based on the level of security offered by each application. The first application separates that data into a first set and a second set according to a predetermined criteria, e.g., established controls. The established controls include, for example, rules for restricting access to a complete set of data for third-party applications, which may be based on user preferences or on default controls. Examples of the data separated into the second set of data for the third-party application can include only averaged glucose values over defined intervals (e.g., such as fifteen minutes rather than all of sampled the glucose values), and/or generalized indications of glucose levels instead of the actual measurement values, in which exemplary indications include low, normal, or high, where the bounds of what levels constitute low, normal or high are predefined by the system or user)); 
to receive additional data from at least one of the first one of the two or more third party applications and the second one of the two or more third party applications responsive to at least one of the transmitted first and second portions of the received sensor data and at least one of the first and second computed predicate data; to generate a control signal based at least in part on the received sensor data, at least one of the first and second computed predicate data, and the received additional data from said at least one of the first one of the two or more third party applications and the second one of the two or more third party applications; and to transmit the control signal to at least one of the nodes of the node network (Parag. [0084] and Parag. [0145-0146]; (The art teaches that the first application separates that data into a first set and a second set according to a predetermined criteria, e.g., established controls. As illustrated in FIG. 1, third-party application 110 can provide a centralized way for a user to access health information. Display 106 can execute a plurality of applications relating to health information. Some examples include applications that track sleeping patterns, monitor food and caloric intake, track exercise, measure calories burned, monitor blood pressure, control and record insulin injections, monitor heart rate, monitor consumption of supplements and medicines, and others. These third-party applications, such as the third-party applications 114, 116, provide information to an approved third-party application 110 that stores health-related information for a user. The art teaches that the first application posts glucose data to a health application. The health application can be any type of application that receives glucose data from the first application. The first application can post actual measured values or test data to the health application. The first application reads back the glucose data from the health application. Application program interfaces can be used to request read data back from the health application. By reading back the posted values, the first application can verify that the data relating to glucose values was properly received, handled, and stored by the third-party health application. If the read data does not match the posted data, the first application issues a notification (i.e., control signal) to the user or determines that the health application should no longer receive data relating to glucose values));
wherein the program code when executed further causes said at least one processing device: 
to assign, based at least in part on whether the first one of the set of two or more third party applications exhibits at least a threshold level of commonality with one or more other ones of the two or more third party applications associated with the node network, a first set of one or more classes of capabilities to the first one of the two or more third party applications; to assign, based at least in part on whether the second one of the set of two or more third party applications exhibits at least the threshold level of commonality with one or more other ones of the two or more third party applications associated with the node network, a second set of one or more classes of capabilities to the second one of the two or more third party applications, the second set of one or more classes of capabilities being different than the first set of one or more classes of capabilities (Parag. [0125-0127] and Fig. 10; (The art teaches determining a level of compliance (i.e., threshold level) for a medical device and providing data relating to glucose levels to the medical device based on the level of compliance. The example of FIG. 10 illustrates a way to control the type of data that is provided to other applications based on the level of compliance (i.e., threshold level) of other applications. This ensures that the dedicated application provides data only to trusted applications, or provides a reduced set of data to certain application compared to others. The dedicated application determines a level of compliance (i.e., threshold level) of another application or a third-party requesting access to the data relating to glucose levels. The dedicated application can determine the level of compliance in a variety of manners. For example, dedicated application accesses a listing of applications stored in memory or online that indicates whether an application has been approved as a medical device by the Food and Drug Administration and, if so, a corresponding classification for the medical device. In another embodiment, the application may provide an indication of its classification and security level (i.e., one or more classes of capabilities) to the dedicated application. If the level of compliance for an application is high (i.e., first set of one or more classes of capabilities), such as a class III medical device, the dedicated application provides the glucose data to the application. For example, the dedicated application can provide the application with data relating to glucose levels in real-time. If, however, the level of compliance is lower (i.e., second set of one or more classes of capabilities being different than the first set of one or more classes of capabilities), such as when the application is not a medical device, the dedicated application provides data relating to glucose levels with restrictions. For example, the restrictions may include encrypting data, providing a reduced set of data, delaying data, or any combination of the embodiments previously described with reference to FIGS. 1-10. In both situations of providing data without restrictions or providing data with restrictions (e.g., as described with reference to FIGS. 2, 5, and/or 7), a user may control preferences that determine which application should receive data and what set of data should be provided)).71815-5    
 wherein the first and second computed predicate data are associated with respective first and second pseudonyms configured to prevent the first one of the two or more third party applications and the second one of the two or more third party applications from combining the first and second portions of the sensor data to obtain designated information regarding that a user has not permitted the first one of the two or more third party applications and the second one of the two or more third party applications to access; wherein the program code when executed further causes said at least one processing device: to select the first and second pseudonyms based at least in part on the first set of one or more classes of capabilities assigned to the first one of the two or more third party applications and the second set of one or more classes of capabilities assigned to the second one of the two or more third party applications; and wherein the first and second pseudonyms each comprise one of a first type of pseudonym that is the same for two or more sessions and a second type of pseudonym that is unique to a given one of the two or more sessions.
However, LaFever discloses: 
wherein the first and second computed predicate data are associated with respective first and second pseudonyms configured to prevent the first one of the two or more third party applications and the second one of the two or more third party applications from combining the first and second portions of the sensor data to obtain designated information regarding that a user has not permitted the first one of the two or more third party applications and the second one of the two or more third party applications to access (Abstract, Parag. [0021-0023], and Parag. [0185]; (The art teaches systems, computer readable media, and methods for improving both data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by unauthorized parties and enabling data, including quasi-identifiers, related to the data subject to be disclosed to any authorized party by granting access only to the data relevant to that authorized party's purpose, time period, place and/or other criterion via the obfuscation of specific data values. The art teaches use a first DDID at one time for a specific purpose pertaining to a first Data Subject, action, activity, process and/or trait, and then use a second DDID in association with the first Data Subject, action, activity, process and/or trait, for a different purpose. The art teaches tracking and recording different DDIDs used by, and ; 
wherein the program code when executed further causes said at least one processing device: to select the first and second pseudonyms based at least in part on the first set of one or more classes of capabilities assigned to the first one of the two or more third party applications and the second set of one or more classes of capabilities assigned to the second one of the two or more third party applications (Abstract, Parag. [0019-0023], Parag. [0185], and Parag. [0473-0474]; (The art teaches systems, computer readable media, and methods for improving both data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by unauthorized parties and enabling data, including quasi-identifiers, related to the data subject to be disclosed to any authorized party by granting access only to the data relevant to that authorized party's purpose, time period, place and/or other criterion via the obfuscation of specific data values. The art teaches use a first DDID at one time for a specific purpose pertaining to a first Data Subject, action, activity, process and/or trait, and then use a second DDID in association with the first Data Subject, action, activity, process and/or trait, for a different purpose. The art also teaches enabling the ability of Data Subjects to maintain flexible levels of privacy and/or anonymity under the control of a Data Subject or controlling entity that may be a trusted party. i.e., selecting the first and the second pseudonyms is based on the classification (trusted/untrusted) of third parties, and the related data subject to be disclosed to any authorized party is granted by providing only to the data relevant to that authorized party's purpose. The art also teaches that combined with the ; and 
		wherein the first and second pseudonyms each comprise one of a first type of pseudonym that is the same for two or more sessions and a second type of pseudonym that is unique to a given one of the two or more sessions (Parag. [0024-0026] and Parag. [0397]; (The art teaches that in order for a cookie to serve as a DDID, the browser (serving as the client in this potential embodiment of the invention) may prevent any cookie submitted by the website from persisting between browsing sessions (e.g., by copying the user's cookies, cache and browsing history files to the anonymity system's servers and then deleting them off the user's computer), such that a new cookie may be assigned for each browsing session.  In this manner, the various cookies (in this example embodiment, serving as DDIDs representing separateness of identity of Data Subjects) issued by the website, while being created "externally" to the system, would each be unique and would not enable the website to remember stateful information or aggregate the Data Subject's browsing activity, since each of the browsing sessions would be perceived by the website as unrelated--thereby enabling the Data Subject to remain dynamically anonymous as long as desired, to the extent desired. Further, the art teaches that the system may be configured such that the assignment, expiration and/or recycling of any given DDID may occur based on any one or more of the following factors: (1) change in the purpose for which a DDID (and associated TDR) was created, e.g., association with a specific browsing sessions, Data Subject, transaction, or other purpose; (2) change in the physical location associated with a .
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Mensinger to incorporate the teaching of LaFever. This would be convenient for improving data security, privacy, and accuracy, and, in particular, to using dynamically changing identifiers to render elements of data (Parag. [0003]).

Claim 19 is taught by Mensinger in view of LaFever as described for claim 9.

Claim 20 is taught by Mensinger in view of LaFever as described for claim 11.

Claim 21. 	Mensinger in view of LaFever discloses the apparatus of claim 1,   
Mensinger further discloses wherein said at least one processing device is further configured: 
		to identify a security risk associated with operation of the first one of the two or more third party applications in combination with the second one of the two or more third party applications, the identified security risk being based on a determination that at least one of the first one of the two or more third party applications and the second one of the two or more third party applications do not share at least the threshold level of commonality with a plurality of third party applications to which respective portions of the received sensor data are transmitted (Parag. [0010], Parag. [0125-0127], and Fig. 10; (The art ; and 
to modify at least one of the first and second portions of the received sensor data transmitted to at least one of the first one of the two or more third party applications and the second one of the two or more third party applications responsive to identifying the security risk (Parag. [0010]; (The art teaches that Unapproved applications often suffer security flaws that are unacceptable for sensitive medical data. For example, a user allows a third-party application to access data relating to glucose levels, but then is unaware that the allowed application also provides the data to additional third-party applications.  These additional third-party applications might distribute the medical data to additional applications, internet servers, or .


























Conclusion
		The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Hallwachs (US 2015/0363563) – Related art in the area of automated deployment of remote measurement, patient monitoring, and home care and multi-media collaboration services in health care and telemedicine, (Parag. [0016], the method can include determining a presence of the patient by one of scanning with the first application for a Bluetooth low energy (BLE) sensor device used as an identifying radio frequency identification (RFID) device to establish an identification of the patient, receiving a real time user input at the first client terminal, and receiving a parameterization input via the second application as part of a downloadable configuration template as part of a care path directive associated with the patient; causing the first application to confirm the presence and related identification of the patient with a cloud administration server, from which the first client terminal receives an anonymous and unique patient identification token used to record and identify the anonymous patient data  record following the transmission of the gathered patient data to the central server). 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDELBASST TALIOUA whose telephone number is (571)272-4061.  The examiner can normally be reached on Monday-Thursday 7:30 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on 571-272-7872.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/A.T./Examiner, Art Unit 24422

/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442