Healthtech & e-health

Your patient data deserves
more than good intentions.

Healthcare platforms handle some of the most sensitive data there is. With HDS 2.0 mandatory from May 16, 2026 and CNIL fines climbing, a security audit isn't a nice-to-have anymore — it's a legal obligation.

Applicable regulations

HDS 2.0

May 16, 2026

Health Data Hosting — certification required by May 16, 2026 for any entity hosting health data on behalf of third parties.

GDPR — sensitive data

In force

Health data is sensitive data (Art. 9). Unauthorized exposure triggers a mandatory CNIL notification within 72 hours.

CNIL — priority sector

Ongoing controls

Healthcare is a CNIL priority enforcement sector. Cegedim Santé: 15.8M patient records exposed, €800K fine in 2024.

Common healthtech vulnerabilities

  • APIs returning patient data without proper authentication
  • Missing RLS policies on databases (Supabase, Firebase)
  • Unauthenticated webhooks that let anyone create admin accounts
  • Medical documents stored in public buckets
  • Sensitive data moving in the clear, at rest and in transit

On a medical training platform, we got unauthenticated admin account creation — full access to every user's data in under two minutes.

FAQ

Need an external review of your HR SaaS?

Share your product, stack, and client context. We will come back with the right review scope.

Discuss your audit