US HHS Cybersecurity Center Warns of AI-Enabled Data Leakage and Prompt Injection in Healthcare

The Health Sector Cybersecurity Coordination Center (HC3) released an analyst note warning that healthcare organizations using generative AI face heightened risks from prompt injection, hallucinated instructions, and data leakage through third-party LLM tools.[rich_content:6] The alert explains how staff pasting protected health information into public chatbots or agentic tools can create long-lived privacy exposure and potential training data contamination.[rich_content:6] HC3 advises implementing strict AI use policies, logging, and vendor due diligence to manage AI supply chain risk in hospitals and clinics.[rich_content:6]

According to HC3, healthcare organizations using generative AI and third-party LLM tools face elevated risks from prompt injection, hallucinated or fabricated instructions, and inadvertent data leakage when staff paste PHI into public chatbots or agentic tools.[5] HC3 further emphasizes the need for governance, logging, and vendor due diligence across the AI lifecycle in healthcare environments to manage these risks.[5] From a CyberSE.AI perspective, this requires formal AI use policies, technical and process controls around where PHI can be processed by AI, and structured evaluation of AI vendors’ security posture and data handling to reduce long-lived privacy exposure and training data contamination. Healthcare entities should also assess AI agent logic paths for unsafe behaviors and integrate AI risk into broader security readiness and supply chain programs.