ChatGPT is already being used to interpret lab results, explain diagnoses, and help users prepare for clinical interactions. For many individuals, it has quietly become part of how they process and understand their own health data. ChatGPT Health formalises that behaviour by introducing a dedicated health interface, enabling users to connect medical records and wellness data, and adding isolation controls intended to reduce some of the risks associated with general-purpose AI usage, as outlined in OpenAI’s official ChatGPT Health announcement.

At a surface level, this appears to be a step toward safer use of AI in healthcare contexts. However, from a cybersecurity and governance perspective, it represents something more structurally significant: a large-scale shift in which users voluntarily move sensitive health data into a system that is not designed, governed, or operated as a healthcare environment. This places ChatGPT Health squarely within a broader category of healthcare data security challenges, where the primary concern is not model behaviour, but loss of control over sensitive data flows.

The core issue: ChatGPT Health operates as an interface, not a controlled system

ChatGPT Health introduces meaningful improvements compared to standard ChatGPT deployments, including separation between health and general conversations, exclusion of health data from model training, encryption in transit and at rest, and user-controlled deletion and disconnection of data sources. These controls reduce a narrow class of risk, particularly those associated with model training and unintended reuse of sensitive inputs. They do not address the more important question: who controls the data, and under what enforceable framework.

ChatGPT Health remains a consumer system and does not operate under the governance structures that define healthcare environments, such as Business Associate Agreements (BAAs), institutional audit logging, role-based access control, enforceable retention policies, or integration with clinical incident response processes. This distinction is decisive. It determines whether a system can be used within regulated workflows, not whether it appears secure at a surface level.

The “Shadow EHR” effect and why aggregation changes the risk model

When users connect medical records or upload clinical data into ChatGPT Health, the system begins to function as a personal health record in all but name. It aggregates clinical notes, lab results, longitudinal trends, and interpreted summaries into a single interface that is easier to query than any hospital portal.

From a usability perspective, this is a clear improvement. From a security perspective, it creates a new class of asset. A “shadow EHR” is not simply a copy of medical data. It is a curated, aggregated, and queryable dataset, often enriched with interpretation. That combination makes it significantly more valuable to an attacker than raw records stored across fragmented systems.

In traditional healthcare infrastructure, access to these data points is distributed, monitored, and constrained by institutional controls. In ChatGPT Health, that same data becomes accessible through a single account boundary. This collapses multiple control layers into one, and fundamentally changes the blast radius of compromise.

The privacy cliff: when regulatory protection no longer applies in practice

Health data inside healthcare systems is protected by regulatory frameworks that define both technical and organisational controls. In the United States, HIPAA requires risk analysis, access controls, audit logging, integrity safeguards, and secure transmission of data, as outlined in the HHS guidance on HIPAA security requirements.

In the European Union, GDPR classifies health data as a special category and imposes strict requirements on processing, security, and accountability, as defined in the GDPR Regulation (EU) 2016/679. These protections are not inherent to the data itself; they are enforced through the systems and entities that control it.

When users export or connect this data into consumer platforms, those controls are no longer applied in the same way. This creates what can be described as a privacy cliff: the sensitivity of the data remains unchanged, but the governance, auditability, and enforcement mechanisms that protect it are significantly reduced. Industry analysis has already pointed to this gap in the context of ChatGPT Health integrations and data use.

For organisations, this is not a theoretical concern. It represents a direct loss of visibility into where patient data resides and how it is processed.

Data isolation does not solve for accountability

OpenAI’s architecture introduces logical separation between health and non-health contexts and excludes health data from model training. These are important design decisions and should be acknowledged as improvements over general-purpose AI usage.

However, isolation and encryption address data handling at the system level, not control at the organisational level.

A system can be well isolated, encrypted, and segmented, and still fail to provide:

• visibility into access

• enforceable access controls

• audit trails suitable for investigation

• integration with incident response

In healthcare environments, these capabilities are not optional; they are required for defensibility. In ChatGPT Health, they are largely absent or delegated to user behaviour, which introduces variability that cannot be controlled at scale.

Integration expands the attack surface in ways that are not obvious to users

The integration layer is one of the most powerful features of ChatGPT Health, and also one of its least understood risk factors. Through platforms such as b.well, which aggregate health data via FHIR-based APIs, the system becomes a central access point for multiple data sources, including clinical records, wellness data, and derived insights.

This introduces several compounding risks. Token-based access to external systems creates persistent trust relationships that may not be visible to users after initial authorisation. The system becomes dependent on the security posture of third-party providers, which may vary significantly. Most importantly, the aggregation of data into a single interface increases both the value of the target and the impact of compromise.

From a threat-modeling perspective, each additional integration does not just add functionality; it increases the size and complexity of the attack surface.

The dominant risk is account compromise, not model misuse

While much of the public discussion around AI systems focuses on hallucinations, bias, or model misuse, the primary risk in this architecture is considerably more straightforward. It is account compromise.

A ChatGPT Health account may contain a consolidated view of an individual’s health history, enriched with interpretation and connected to external data sources. If that account is compromised through phishing, credential reuse, SIM swapping, or session hijacking, the attacker gains access to a dataset that is both comprehensive and immediately usable.

This differs from traditional breaches, where data is often fragmented or requires additional processing to extract value. In this case, the system itself performs that aggregation and interpretation in advance. The result is a significantly increased blast radius from a single point of failure.

AI-specific risks are real, but secondary to structural design choices

AI-specific risks, including prompt injection, unintended data exposure, and safety control bypass, are present and should be considered in any comprehensive assessment. These risks become particularly relevant when models interact with external data sources or process untrusted inputs.

However, in the context of ChatGPT Health, they are not the primary driver of risk. The more significant issues arise from data centralisation, lack of institutional governance, and reliance on consumer-grade identity controls.

This is why approaches such as AI and LLM security testing are increasingly important. They allow organisations to evaluate not just infrastructure, but how AI systems behave under realistic conditions, including adversarial scenarios.

Consumer AI and clinical systems are fundamentally different categories

OpenAI provides separate enterprise offerings designed for healthcare use, including environments that can operate under HIPAA frameworks and support controlled data handling. These systems are built to integrate with institutional governance, not replace it. ChatGPT Health is not part of that category.

It should not be treated as a clinical system, a medical device, a compliant documentation platform, or an auditable environment. Treating it as a lightweight alternative to clinical infrastructure introduces risk by collapsing distinctions that are essential for security and compliance.

Practical implications for organisations and users

For healthcare organisations, the implication is straightforward: ChatGPT Health should be treated as an external, unmanaged environment. Policies should explicitly define whether and how such tools can be used, particularly in relation to clinical data handling, documentation, and decision support.

For individuals, the risk is more nuanced but no less important. The convenience of aggregation and interpretation comes with a trade-off in control. Strong account security, careful management of integrations, and awareness of how data flows through the system become critical.

In both cases, the key issue is not whether the system is useful, but whether its use aligns with the level of control required for the data it handles.

Conclusion

ChatGPT Health represents a meaningful shift in how health data is accessed and interpreted, but it does not change the underlying requirements for securing that data. From a cybersecurity perspective, it moves control away from institutions and into consumer-managed environments, while simultaneously increasing the value and centralisation of sensitive information.

These patterns are not unique to this product and are increasingly visible across the sector, including in broader analyses of cybersecurity in biotech companies. The primary risk is not inherent insecurity, but misalignment between perception and reality.

Systems that appear to provide clarity and convenience can still introduce significant risk if they are not understood within the correct operational context. That distinction — between what a system looks like and what it actually is — is where most security failures begin.