The 5 vulnerabilities we find in 90% of healthtech startups
> TL;DR: APIs exposing patient data, public buckets, missing RLS — recurring mistakes in e-health.
Healthtech startups move fast. Too fast.
Vulnerability 1: Patient APIs without adequate authentication
Endpoints returning patient data accessible with a simple token — without verifying the user has rights to THIS patient.
Vulnerability 2: Medical storage in public buckets
X-rays, prescriptions, test results in S3 or Supabase Storage without access policies.
Vulnerability 3: Missing RLS on patient tables
Any authenticated user accesses all patients' data.
Vulnerability 4: Logs containing health data
Application logs with medical information in clear text.
Vulnerability 5: Unauthenticated webhooks
Appointment creation, record modification via webhooks without identity verification.
Key Takeaways
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Healthtech on Supabase: patient records and RLS pitfalls that stick
A patient record needs stricter isolation than a regular SaaS. Common RLS mistakes in young healthtech products.
The 10 flaws we found most in 2025-2026
Ranked list of most frequent vulnerabilities across our audits. Missing RLS at #1, unauthenticated webhooks at #2, exposed API keys at #3.
Health data in HR: sick leave, medical visits, accommodations — the blind spots
HR vendors handle more health data than they realize. Three angles where the health/HR boundary is poorly protected.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.