The 5 vulnerabilities we find in 90% of healthtech startups
Healthtech startups move fast. Too fast.
Vulnerability 1: Patient APIs without adequate authentication
Endpoints returning patient data accessible with a simple token — without verifying the user has rights to THIS patient.
Vulnerability 2: Medical storage in public buckets
X-rays, prescriptions, test results in S3 or Supabase Storage without access policies.
Vulnerability 3: Missing RLS on patient tables
Any authenticated user accesses all patients' data.
Vulnerability 4: Logs containing health data
Application logs with medical information in clear text.
Vulnerability 5: Unauthenticated webhooks
Appointment creation, record modification via webhooks without identity verification.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Healthtech on Supabase: patient records and RLS pitfalls that stick
A patient record needs stricter isolation than a regular SaaS. Common RLS mistakes in young healthtech products.
Supabase RLS: 5 configuration mistakes we find every week
Supabase Row Level Security policies are your first line of defense. Here are the 5 most common mistakes.
The 10 flaws we found most in 2025-2026
Ranked list of most frequent vulnerabilities across our audits. Missing RLS at #1, unauthenticated webhooks at #2, exposed API keys at #3.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.