This paper focuses on privacy risks in health databases that arise in assistive environments, where humans interact with the environment and this information is captured, assimilated and events of interest are extracted. The stakeholders of such an environment can range from caregivers to doctors and supporting family. The environment also includes objects the person interacts with, such as, wireless devices that generate data about these interactions. The data streams generated by such an environment are massive. Such databases are usually considered hidden, i.e., are only accessible online via restrictive front-end web interfaces. Security issues specific to such hidden databases, however, have been largely overlooked by the research community, possibly due to the false sense of security provided by the restrictive access to such databases. We argue that an urgent challenge facing such databases is the disclosure of sensitive aggregates enabled by recent studies on the sampling of hidden databases through its public web interface. To protect sensitive aggregates, we enunciate the key design principles, propose a three-component design, and suggest a number of possible techniques that may protect sensitive aggregates while maintaining the service quality for normal search users. Our hope is that this paper sheds lights on a fruitful direction of future research in security issues related to hidden web databases.