Well Simple answer.
DO NOT EVER INCLUDE ANY KIND OF PERSONAL INFORMATION INTO URL.
URL is extremely easy to get from outside (e.g. javascript, screenshot, etc etc) and it should never, ever include personal information. It's like using a Social Security Number as your license plate number.
You technically can block bruteforce scanners by adding checks like if the user is in the current session and reject connection if anyone is trying to access to the URL without session information, but it's still not great approach because it will still give you some sort of response from server. (for example, if you just check session and echo that you have no permission, it will give you 200 response code, and the attacker will be able to notice that there is SOMETHING)
Please find other ways to provide your service without using personal information on URL.
As suggested below, if you decide to hash the personal information, please use longer & more character set.
If you use only 6 alphabet characters, it will take about ~9 hours with Class A brute force attack, and Class F can crack it instantly.
Please take a look at this website and make sure you hash it correctly. But then again, hashing should not be the ultimate solution.
EDIT:
If you are not displaying personal information on URL, that might be fine. You can simply generate a personal link and send it to your user via SMS or email with authentication.
That means, once user clicks the link, it will take the user to the login screen. The URL should not mean anything in this case of course.