MBI

'Detects MBI patterns. Excluded letters: S, L, O, I, B, Z.' This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type

regex

Engine

universal

Confidence

high

Confidence justification

High confidence: structurally constrained pattern with corroborative keyword support reduces false positive rates significantly.

Detection quality

Verified

Jurisdictions

us

Regulations

CCPA/CPRA, FTC Act s5, HIPAA, State Breach Laws (US)

Frameworks

ISO 27001, ISO 27701, SOC 2

Data categories

phi, healthcare

Scope

specific

Risk rating

8

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible

Pattern

\b[1-9][AC-HJKMNP-RT-Y][0-9AC-HJKMNP-RT-Y]\d[AC-HJKMNP-RT-Y][0-9AC-HJKMNP-RT-Y]\d[AC-HJKMNP-RT-Y]{2}\d{2}\b

Corroborative evidence keywords

MRN, medical record number, patient ID, NPI, DEA, medicare, medicaid, insurance ID, member ID, beneficiary, ICD-10, ICD-9, CPT, NDC, SNOMED, HCPCS, diagnosis code, procedure code, drug code

Proximity: 300 characters

Should match

• 1AC4DE7HJ90 — Standard MBI format
• 9YT2FG8KP12 — Alternate MBI
• 3HK5MN7PR34 — Another valid MBI

Should not match

• 0AC4DE7HJ90 — Starts with 0 (must start with 1-9)
• 1BC4DE7HJ90 — Invalid second character (B not in valid set)
• 1AC4DE7HJ9 — Only 10 characters instead of 11

Known false positives

• Medical terminology in health education materials, research publications, clinical guidelines, or public health documents without patient-specific data. Mitigation: Require corroborative evidence keywords confirming patient context. Look for co-occurrence with patient identifiers such as medical record numbers or dates of birth.
• General wellness and fitness content using medical vocabulary without constituting protected health information. Mitigation: Layer with patient identifier patterns or healthcare-specific document structure detection to distinguish clinical records from general health content.

References

• Medicare Beneficiary Identifier (MBI) card entity definition - Microsoft Learn

Collections

• US Healthcare Compliance