Systems and processes for assembling de-identified patient healthcare data records in a longitudinal database are provided. The systems and processes may be implemented over multiple data suppliers and common database facilities while ensuring patient privacy. At the data supplier locations, patient-identifying attributes in the data records are placed in standard format and then doubly encrypted using a pair of encryption keys before transmission to a common database facility. The pair of encryption keys includes a key specific to the data supplier and a key specific to the common database facility. At the common database facility, the encryption specific to the data supplier is removed, so that multi-sourced data records have only the common database encryption. Without direct access to patient identifying-information, the encrypted data records are assigned dummy labels or tags by which the data records can be longitudinally linked in the database. The tags are assigned based on statistical matching of the values of a select set of encrypted data attributes with a reference database of tags and associated encrypted data attribute values.