Blog

Critical Security Flaw Found in a 'HIPAA-Compliant' Healthcare Chatbot

Kevin Kulik
Security Healthcare HIPAA Third-Party Integrations
Security flaw in healthcare chatbot

It started as routine maintenance

I was doing regular maintenance for a long-term client in US healthcare. The company provides mental health services. All names and identifying details are intentionally anonymized.

Nothing about that day looked unusual. Routine updates. Plugin checks. Performance monitoring. The usual maintenance work.

Then I noticed the chatbot.

A small widget in the bottom-right corner of the site. A virtual assistant meant to help patients with appointment booking and first questions. It came from a third-party vendor that marketed the product as an enterprise healthcare chatbot and described it as HIPAA-compliant.

That label mattered. My client had chosen the vendor because the compliance claim lowered the perceived risk. In healthcare, that is often enough to get a tool approved.

I opened the code anyway.

Not because I had proof something was wrong. Mostly because this is exactly where problems tend to hide. If you maintain websites long enough, you learn to distrust third-party integrations that ask for a lot of trust and give very little technical visibility in return.

What I found over the next few hours was not a minor bug. It was a full vulnerability chain.

The first red flag

Anyone who reviews client-side JavaScript eventually runs into obfuscated code. That part is normal. Vendors do it to make reverse engineering harder or to protect intellectual property.

What is not normal is finding sensitive material inside that code and hoping nobody looks closely enough to extract it.

In this case, I found an AES key used for client-side encryption. It was obfuscated, but still recoverable. Once extracted, it made it possible to decrypt the data the application was trying to protect.

That was the moment the whole thing stopped looking like a simple implementation shortcut and started looking dangerous.

Because this key was not protecting one isolated value. It was part of the only meaningful barrier between a public-facing chatbot widget and systems that should never have been reachable from the browser.

From one client-side key to full access

Once the key was extracted, the rest of the chain came together quickly.

Using that key, I was able to:

  1. Decrypt and forge API tokens. The application used encrypted tokens for API communication. With the key in hand, those tokens were no longer trustworthy.
  2. Reach the backend API directly. The API accepted requests from any origin because of an overly permissive CORS configuration.
  3. Decrypt cloud credentials returned by the API. The backend exposed encrypted credentials that should never have reached the client in the first place. With the same key, those credentials became readable.

At that point I had what amounted to the keys to the vendor’s Dialogflow environment for my client’s chatbot.

That is the moment where you stop thinking in terms of “interesting finding” and start thinking in terms of containment, verification, and disclosure.

Why this was more than a privacy issue

Before reporting the issue, I needed to understand the real-world severity. I continued only as far as necessary to verify impact and stayed within the scope of my maintenance agreement.

The credentials worked.

As soon as that was clear, I informed my client immediately and stopped further testing. No data was altered, deleted, or exfiltrated.

With those credentials, an attacker could have gained full read and write access to the chatbot agent. That means more than reading configuration. It means the ability to inspect and modify the responses the chatbot gives to vulnerable users.

In a generic SaaS product, that is already serious. In a mental health context, it becomes something else entirely.

An attacker could potentially have:

  • changed therapeutic guidance shown to patients
  • removed or altered crisis-response flows
  • accessed training data or conversation history
  • replaced the bot’s behavior entirely by importing modified intents or responses

That is not just a data protection issue. It is a patient safety issue.

People often interact with mental health chat tools when they are anxious, isolated, or in crisis. If those responses can be manipulated, the harm goes far beyond compliance exposure. You are no longer talking only about privacy notices, BAAs, or vendor paperwork. You are talking about whether a healthcare organization can trust a patient-facing system to behave safely.

That was the real severity.

What else the review uncovered

Once the initial chain was clear, I expanded the review and found a broader pattern: the product’s compliance marketing and the technical implementation were nowhere close to each other.

Among the additional findings:

  • 12+ known CVEs in outdated dependencies, including a critical vulnerability with a CVSS score of 9.1
  • multiple end-of-life frameworks that were no longer receiving security updates
  • session replay and error tracking without effective masking, which created a risk of sensitive patient inputs being captured in plain text
  • false privacy messaging, including claims that the chatbot did not store personal information or conversation history even though the implementation suggested otherwise

Taken together, the issue was not “one bad line of code.” It was a systemic failure of architecture, dependency hygiene, and compliance credibility.

The vendor presented the tool as safe for healthcare. The code said otherwise.

What I check in third-party tools by default

This is the part many teams underestimate: you do not need a dramatic zero-day to end up with a serious exposure. Most of the time the dangerous issues are mundane.

When I review a third-party integration that touches sensitive data, I usually start with the same set of questions:

  • Client-side code: Is anything being shipped to the browser that clearly should not be there?
  • Token handling: Are tokens static, reproducible, or reconstructible in the frontend?
  • CORS and authentication: Can the API be called by any origin, or are there real restrictions in place?
  • Backend responses: Is the API returning configuration, credentials, IDs, or internal metadata that should remain server-side?
  • Analytics and session replay: Is user input captured, masked, or forwarded to third parties?
  • Dependencies: Are key libraries outdated, end-of-life, or publicly vulnerable?
  • Marketing vs. reality: Do the privacy and compliance claims match what the code is actually doing?

These checks are not a substitute for a full security program. But they are often enough to expose the kinds of problems that slip through when procurement relies too heavily on vendor claims.

Disclosure and remediation

I reported the issue to my client on January 14, 2026. The message was direct: critical finding, immediate action required.

The response was fast. My client escalated to the chatbot vendor. An external security provider was brought in. The widget was disabled server-side to contain risk. I initially shared a redacted report and requested a secure transfer path for the full technical documentation.

The timeline looked roughly like this:

  • Day 0: finding discovered during routine maintenance
  • Day 1: client notified, formal escalation initiated
  • Day 1-2: containment, widget disabled, redacted report shared
  • Week 1-2: remediation work by the vendor
  • Week 2: QA verification of the fixes

Over that period, the vendor:

  • revoked and rotated exposed credentials
  • removed sensitive material from frontend-delivered code
  • fixed the CORS configuration
  • introduced proper server-side authentication and token handling
  • moved sensitive processing out of the client

Two weeks later, I was asked to verify the remediation. I retested the affected areas and confirmed that the original attack chain had been broken.

Why I shared the report in redacted form first

In cases like this, documentation has to balance clarity with restraint.

You need enough detail for the client and vendor to understand the issue, reproduce it, and fix it. But you do not want to spray operationally useful exploit details across email threads or shared documents before containment is complete.

That is why the initial report was redacted. Sensitive values, exploit details, and infrastructure specifics were withheld until a secure transfer path was in place.

That is standard responsible disclosure. It protects the client, reduces abuse risk, and keeps the remediation process focused.

What healthcare teams should take from this

There are a few uncomfortable lessons in this case.

1. “Compliant” is not the same as secure

A vendor can say HIPAA-compliant, GDPR-compliant, or enterprise-ready. That does not automatically tell you anything meaningful about the quality of the code or the security of the architecture.

At best, those claims tell you the vendor understands the language of compliance. They do not prove that the implementation holds up under scrutiny.

If a vendor matters to your risk profile, ask harder questions:

  • When was the last real security assessment?
  • Who performed it?
  • What scope was covered?
  • Can they provide a summary, report, or attestation beyond marketing copy?

2. Third-party integrations are part of your attack surface

Every widget, chatbot, booking tool, analytics snippet, and embedded platform becomes part of your system the moment it lands on your site.

You may not build it. You may not host it. But if it handles your users’ data, its failures become your problem.

That is especially true in healthcare, where sensitive user interactions happen in contexts that depend heavily on trust.

3. Real maintenance is more than clicking update

If I had limited the work to CMS updates, backups, and uptime checks, this issue would have remained in place.

This is the difference between maintenance as a checklist and maintenance as ongoing technical scrutiny.

The most dangerous issues are often discovered not because someone ran a magical tool, but because someone looked closely, asked obvious questions, and followed the logic all the way through.

4. The most expensive problems are often the invisible ones

Security work can feel abstract until something goes wrong. That makes it easy to underinvest in it.

But once an incident becomes public, the costs are no longer abstract. Then you are dealing with legal exposure, response costs, patient trust, vendor escalation, internal disruption, and possibly regulatory scrutiny.

The reason proactive review matters is simple: it is cheaper to be skeptical early than to explain preventable damage later.

A quick reality check for your own integrations

If your site uses third-party tools, these are good starting questions:

  1. Do you know every tool currently embedded on the site?
  2. Do you know what data passes through each one?
  3. Do you have evidence behind the vendor’s compliance claims, not just sales language?
  4. Do you know whether the technology stack is current and supported?
  5. Do analytics, session replay, or monitoring tools capture sensitive user input?

If you are unsure about two or more of those, a focused security review is usually worth it.

Most sites do not need panic. They need clarity.

Final thought

When I found this chain, my first reaction was disbelief.

A vendor working in healthcare, selling into a compliance-heavy environment, should not be exposing the kind of material I found in a public-facing integration.

But it happened. And it almost certainly is not unique.

That is the part worth remembering.

The dangerous integrations are usually not the ones that look risky. They are the ones everyone assumed had already been vetted because the vendor knew the right words to use.

Using third-party tools on your website?

Chatbots, booking tools, analytics platforms, embedded widgets: every integration adds risk, especially when sensitive data is involved.

I review third-party integrations for security, privacy, and compliance gaps. No panic marketing. No checkbox theater. Just a sober assessment of what the code on your site is actually doing.

Let’s talk about your website ->

This article describes a real client case. Identifying details have been anonymized. The technical facts are accurate. The affected client agreed to publication in anonymized form.