Blog Data Security

Research Reveals Healthcare Orgs Have 90% of Sensitive Data Exposed to AI

Varonis studied 98 Healthcare IT environments to assess AI’s impact on healthcare, biotech, and pharma — and how organizations can better protect critical data.
Lexi Croisdale
1 min read
Last updated September 24, 2025
Healthcare data security report

Contents

    AI is revolutionizing healthcare. Copilots summarize patient histories, agents streamline triage, and LLMs unlock insights from clinical data. Beneath the innovation, however, lies a growing threat.

    AI can scan both structured and unstructured data, including every accessible file, folder, database, and identity. If AI surfaces patient records or trial data where it shouldn’t or gets one line item wrong, it’s game over. Data can’t be unbreached. Ghost users, shadow AI, and missing MFA also help AI form a perfect storm. Without automated data security, healthcare organizations risk more than breaches — they risk lives.

    To quantify AI’s impact on the healthcare sector, Varonis produced the State of Data Security Report: Healthcare & Life Sciences. Download the full report and continue reading to learn about the latest risks to health data as you prepare for 2026.

    Download the Healthcare & Life Sciences State of Data Security Report
    Read the report
    healthcare

    About the report

    Our team analyzed data security risks across healthcare, biotech, and pharmaceutical organizations worldwide and found that no organization was breach-proof. In fact, 90% of organizations have exposed sensitive data that can easily be surfaced by AI.

    The report examines nearly 1 billion files and explores the data risks associated with AI, cloud environments, and some of the most popular SaaS apps and services, such as Microsoft 365, AWS, Box, Salesforce, and many others.

    Below are just a few key findings from our research:

    • We found that 64% of organizations have unverified apps, including unsanctioned AI, also known as shadow AI, which increases the risk of exposure and data breaches.
    • 86% of companies allow users to create public links. Of those companies, 2,800+ users can create public links.
    • Stale accounts remain dangerous after a user’s last login, and 90% of organizations have stale but enabled ghost users in their environments.
    • Despite the importance of labeling, only 1 out of 5 healthcare organizations had labeled files.
    • 59% of companies have sensitive cloud data exposed to anonymous users.

    Alongside these alarming stats, our experts share proactive steps to help secure your critical data throughout the report.

    Ready to learn more?

    Download the Varonis 2025 State of Data Security Report: Healthcare & Life Sciences today.

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Lexi Croisdale
    Lexi Croisdale Lexi Croisdale is a global content marketing expert. She enjoys writing about the latest cybersecurity trends and insights to help companies protect their data.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    ai-security-starts-with-data-security
    AI Security Starts with Data Security
    ai-security-starts-with-data-security
    Jonathan Villa
    September 19, 2025
    Learn how to protect AI pipelines by controlling data access, monitoring AI behavior, and preventing data exposure.
    varonis-acquires-slashnext,-ai-native-email-security
    Varonis Acquires SlashNext, AI-Native Email Security
    varonis-acquires-slashnext,-ai-native-email-security
    Yaki Faitelson
    September 2, 2025
    Strategic acquisition adds the world’s best phishing and social engineering detection to the leading Data Security Platform.
    anatomy-of-a-salesforce-data-breach:-stopping-user-impersonation
    Anatomy of a Salesforce Data Breach: Stopping User Impersonation
    anatomy-of-a-salesforce-data-breach:-stopping-user-impersonation
    Nolan Necoechea
    August 27, 2025
    How a bad actor systematically impersonates users to exfiltrate millions of Salesforce records.