Preprint Says Browser Tools Exposed 1,000 Patient Chats on Anonymized Medical AI

A newly posted arXiv preprint claims researchers used ordinary browser inspection tools to view the backend configuration of an anonymized patient-facing medical AI chatbot and retrieve what the paper describes as “the 1,000 most recent patient-chatbot conversations.” The paper presents those findings as a reported exposure in an academic preprint, not as an independently confirmed vendor disclosure.

The preprint, titled “When RAG Chatbots Expose Their Backend: An Anonymized Case Study of Privacy and Security Risks in Patient-Facing Medical AI,” was posted to arXiv on May 1, 2026. Its listed authors are Alfredo Madrid-García and Miguel Rujas. In the abstract, they describe “an anonymized, non-destructive security assessment of a publicly accessible patient-facing medical RAG chatbot.”

The operator of the chatbot is not identified in the paper. As of May 4, 2026, there was no public vendor statement, regulator filing or U.S. Health and Human Services Office for Civil Rights breach portal entry tied to this specific case in the materials reviewed by our analyst. The detailed exposure claims come from the authors’ preprint and had not been independently confirmed publicly by a vendor, regulator or third-party security firm in the sourced material.

According to the abstract, the researchers found what they call a “critical vulnerability” because sensitive system and retrieval configuration data appeared exposed through client-server communications instead of being kept only on the server. The paper says manual verification showed that “ordinary browser inspection allowed collection of the system prompt” as well as model and embedding settings, retrieval parameters, backend endpoints, an API schema, document and chunk metadata, and knowledge-base content.

Most notably, the abstract says the same inspection process exposed “the 1,000 most recent patient-chatbot conversations.” It further states that “full conversation records, including health-related queries, were retrievable without authentication.” The paper says this contradicted the deployment’s privacy assurances.

The authors say they used a two-stage method. First came an exploratory phase assisted by Claude Opus 4.6. That was followed by manual verification using Chrome Developer Tools, the standard browser tools built into Google Chrome. DevTools can show network requests, response payloads and other traffic visible to the browser, which is central to the paper’s claim that no specialized hacking tools were needed to inspect what the chatbot’s frontend was receiving.

RAG stands for retrieval-augmented generation, a chatbot design in which a large language model is paired with an external knowledge base or document store. In practice, that can help a medical chatbot answer questions using approved source material. But it can also create security risks if configuration details, retrieval outputs or conversation records are sent to the browser unnecessarily or exposed through weakly protected application programming interfaces, or APIs.

One legal point stands out, though the paper does not establish it here. If the chatbot operator were a HIPAA covered entity or business associate, and if the exposed conversations contained identifiable health information, unauthorized access could trigger U.S. breach notification obligations. Whether that threshold applies would depend on the operator and the nature of the data involved.

For now, major questions remain unanswered. The preprint anonymizes the chatbot and does not identify the vendor or operator. No public response from a vendor appears in the sourced materials, and no public regulator filing tied to this specific case had surfaced as of May 4.