Back to blog
healthtechvulnerabilitieshealth data

The 5 vulnerabilities we find in 90% of healthtech startups

Published on 2026-03-016 min readCleanIssue

> TL;DR: APIs exposing patient data, public buckets, missing RLS — recurring mistakes in e-health.

Healthtech startups move fast. Too fast.

Vulnerability 1: Patient APIs without adequate authentication

Endpoints returning patient data accessible with a simple token — without verifying the user has rights to THIS patient.

Vulnerability 2: Medical storage in public buckets

X-rays, prescriptions, test results in S3 or Supabase Storage without access policies.

Vulnerability 3: Missing RLS on patient tables

Any authenticated user accesses all patients' data.

Vulnerability 4: Logs containing health data

Application logs with medical information in clear text.

Vulnerability 5: Unauthenticated webhooks

Appointment creation, record modification via webhooks without identity verification.

Key Takeaways

  • Identify and test your exposed attack surfaces before a third party does.
  • Client-side security controls never replace server-side validation.
  • Regular audits are more effective than one-time checks — vulnerabilities appear with every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Sources

    Written by CleanIssue
    Reviewed on 2026-03-01

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit