Doctors and nurses are quietly turning to artificial intelligence tools like ChatGPT to help with their daily work, but this growing trend might be creating hidden risks for patient privacy. Recent research from the UK shows about one in five general practitioners use AI to draft notes or letters. While data from Canada is still scarce, reports suggest similar informal use is happening in Canadian hospitals and clinics.
This unofficial use of AI, sometimes called “shadow AI,” happens when healthcare workers input patient details into public chatbots without formal approval. Once the information leaves a hospital’s secure network, no one can be sure where it goes, how long it stays, or if it’s reused. This raises major concerns since patient data could end up outside of Canadian borders without anyone realizing it.
Shadow AI isn’t a high-profile cyberattack. Instead, it’s more like a silent leak. There are no alarms or firewalls triggered when a nurse copies patient information into an AI translator or a doctor uses AI to draft follow-up letters. This makes it hard for hospitals to detect any data breaches.
Even if personal names and ID numbers are removed, health records can still be pieced back together when combined with other details like dates and location. A study showed that “de-identified” data is often not truly anonymous. The public AI tools in use process information on cloud servers that may keep data temporarily. Many companies do not clearly say where these servers are or how long they store information.
In Canada, privacy rules like the Personal Information Protection and Electronic Documents Act weren’t designed with tools like ChatGPT in mind. This creates a tricky situation for hospitals trying to follow the law while using new technology. Experts warn about the growing risk of accidental data leaks by staff using unapproved AI tools. Insurers have also noted shadow AI could be a major blind spot in managing cyber risks.
To address this, cybersecurity specialists suggest three key steps. First, hospitals should include AI tool usage in regular security checks, treating them like any device staff bring to work. Second, they recommend offering approved AI platforms that keep data processing within Canada for better control. Third, training should help healthcare workers understand how sharing even small amounts of patient data with public AI can compromise privacy.
These ideas won’t fix everything, but they could help healthcare providers protect patients and themselves better. With pressures from staff shortages and cyberattacks, AI can be a big help. Still, unchecked use might weaken trust in how medical information is protected.
Now is the time for Canadian policymakers to step in. Instead of banning AI tools, they should set clear national standards to keep patient data safe while allowing innovation. Shadow AI is already part of everyday healthcare, and ignoring it could lead to serious privacy problems. It’s a challenge that calls for teamwork between technology experts, health workers, and lawmakers before a crisis happens.