AI in Healthcare Raises Privacy Gaps and Patient-Safety Risks
AI-driven healthcare tools are expanding rapidly, but legal and security protections for patient data often lag behind their clinical ambitions. Reporting highlighted that consumer-facing medical chatbots and AI health offerings from OpenAI, Anthropic, and Google may fall outside HIPAA obligations in many common use cases, meaning sensitive health information shared with these services may not receive the same statutory protections as data handled by regulated healthcare providers; experts warned that terms-of-service promises are not equivalent to regulated safeguards and that non-HIPAA consumer health data can be sold or shared with third parties, including data brokers.
Separately, an investigation summarized from Reuters described patient-safety concerns tied to “AI-enhanced” medical devices, citing lawsuits and FDA adverse-event reporting that allege AI-related changes contributed to serious surgical injuries. One example involved an AI-updated sinus surgery navigation system where reported malfunctions increased sharply after an AI “enhancement,” though the reporting noted FDA incident data is incomplete and does not by itself prove causation; the same coverage also pointed to a higher recall rate for FDA-authorized medical AI devices versus baseline and described FDA capacity constraints in reviewing AI-enabled devices due to staffing losses in relevant technical teams.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Experts warn medical chatbots may fall outside HIPAA protections
Legal and healthcare specialists told CyberScoop that AI health applications from companies such as OpenAI, Anthropic, and Google may not be regulated under HIPAA in the same way as covered healthcare entities. They warned this can leave users exposed to weaker privacy guarantees, ambiguous compliance claims, and limited breach-notification obligations.
AI-enhanced medical devices are linked to rising malfunction allegations
A Reuters investigation reviewed lawsuits and FDA adverse-event reports involving three AI-enhanced medical devices, including Acclarent’s TruDi Navigation System, and found allegations that injuries and malfunctions increased after AI-related updates were introduced. Reuters noted the FDA reports were incomplete and did not definitively prove AI caused the incidents.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Why your AI doctor doesn't follow HIPAA: The hidden risks of medical chatbots | CyberScoop
cyberscoop.com
Open sourceAdding AI to sinus surgery system saw malfunctions rocket from eight to 100 incidents, according to new investigation - skull-puncturing errors are the stuff of nightmares | Tom's Hardware
tomshardware.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI Chatbots in Healthcare Raise Security and Governance Concerns
The deployment of AI-powered chatbots in healthcare is raising significant concerns among governance analysts and security experts. With the recent launch of ChatGPT Health by OpenAI, users can now connect medical records and wellness apps to receive personalized health guidance, a service reportedly used by over 230 million people weekly. Google has also entered the space through a partnership with health data platform b.well, indicating a trend toward broader adoption of AI-driven health advice. Experts warn that while some AI errors are obvious, others—such as plausible but potentially dangerous recommendations—may go undetected, especially for vulnerable populations. The lack of regulatory oversight and the inherent limitations of large language models, which generate authoritative-sounding responses without true understanding or uncertainty calibration, amplify these risks. Security professionals highlight the concept of "verification asymmetry," where users may be unable to distinguish between accurate and harmful advice generated by AI chatbots. This asymmetry, combined with the probabilistic nature of AI models, means that failures can be subtle and difficult to detect, potentially leading to adverse health outcomes. The rapid integration of AI into healthcare underscores the urgent need for robust governance, transparency, and safety mechanisms to mitigate risks associated with automated medical guidance and the handling of sensitive health data.
Mar 21, 2026
AI-Driven Patient Health Data Access and Associated Security Risks
Healthcare providers and health IT vendors are increasingly adopting artificial intelligence (AI) tools, such as AI assistants, to enhance patient access to electronic health records. The Department of Health and Human Services (HHS) is actively promoting initiatives to improve interoperability between digital health platforms and applications, aiming to make it easier for patients to access and understand their health information. One such initiative, 'Make Health Technology Great Again,' encourages the development and use of third-party patient applications, including conversational AI assistants, to provide patients with more personalized insights and support better health decisions. However, the integration of AI into patient data access workflows introduces significant data privacy and security challenges. Providers must ensure that electronic health information is securely transmitted among multiple healthcare organizations, maintaining compliance with regulatory requirements. Attorney Alisa Chestler of Baker Donelson highlights the need for healthcare entities to balance the benefits of AI-enabled access with the risks of unauthorized data exposure and potential breaches. Regulatory considerations are evolving as agencies like HHS emphasize both patient empowerment and the safeguarding of sensitive health data. The use of AI in this context raises concerns about data sharing, consent management, and the potential for misuse of personal health information. Healthcare organizations are urged to implement robust security measures, including encryption and access controls, to mitigate risks associated with AI-driven data access. The legal landscape is also shifting, with new guidelines and enforcement actions expected to address emerging threats. Vendors developing AI health applications must prioritize privacy-by-design principles and ensure transparency in data handling practices. The conversation around AI and patient data access is further complicated by the need for interoperability, which can increase the attack surface for malicious actors. Stakeholders are advised to stay informed about regulatory updates and best practices for securing AI-enabled health data systems. The ongoing dialogue between regulators, providers, and technology vendors is critical to achieving a balance between innovation and security. Ultimately, the adoption of AI in healthcare data access presents both opportunities for improved patient outcomes and challenges in maintaining data integrity and confidentiality.
Mar 21, 2026
Policy and industry debate over AI safety, governance, and data protection
U.S. policymakers and industry leaders are escalating scrutiny of **AI safety and data protection**, with a particular focus on sensitive data flows and the adequacy of existing guardrails. In a Senate HELP Committee hearing, lawmakers questioned whether federal guardrails are needed to protect Americans’ healthcare data voluntarily uploaded to AI-enabled apps and wearables that may fall outside HIPAA coverage, raising concerns about liability, downstream data use, and integration into medical records; HHS noted it is collecting public input via a request for information on safe and effective AI deployment in healthcare. Separately, commentary on AI governance and safety argues competitive pressure among frontier AI labs can erode safety practices and that clearer antitrust guidance could enable cross-industry collaboration on safety standards without triggering enforcement risk. Tensions over AI “red lines” in national security use also became more public, as **Anthropic** CEO Dario Amodei accused **OpenAI** of misleading messaging about defense work amid reports that Anthropic’s DoD talks faltered over restrictions related to mass domestic surveillance and autonomous weapons, while OpenAI described its agreement as permitting “all lawful purposes” alongside stated prohibitions. Broader, non-incident reporting highlighted enterprise investment to support *agentic AI* (with many data leaders citing governance lagging AI adoption) and general concerns about deepfakes, opaque models, and societal risk; however, several items in the set were primarily newsletters, vendor/industry promotion, or general-interest AI commentary rather than a single, discrete cybersecurity incident or vulnerability disclosure.
Mar 21, 2026