## Healthcare API Flaw: Unchecked Appointment Booking & Cancellation Exposes Patient Records
A critical security vulnerability in a healthcare scheduling API allows any authenticated user to book or cancel appointments for any other patient, bypassing all patient ownership and care-team access controls. The flaw, discovered in the code for a patient appointment booking system, exposes protected health information (PHI) and enables unauthorized manipulation of medical records through direct API calls.

The vulnerability resides in the `scheduling.appointments.create` and `scheduling.appointments.cancel` procedures within the API gateway. Unlike other functions in the same router, these mutation endpoints are gated only by a basic `isAuthenticated` check. They perform no validation to ensure a patient is acting on their own record or that a clinician is part of the correct care team. This omission is starkly contrasted by the secure `listByPatient` function in the same file, which correctly enforces that a patient can only query their own ID and that clinicians must pass an `assertCareTeamAccess` check.

This architectural oversight creates a direct path for data integrity breaches. An authenticated user can use the raw tRPC interface to book appointments under any other patient's identifier, injecting false provider, time, reason, and location data into another individual's PHI. Similarly, they could cancel appointments they do not own. The flaw represents a significant failure in the principle of least privilege, placing patient privacy and the accuracy of medical scheduling at immediate risk until the missing authorization checks are implemented.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security_vulnerability, healthcare, api, data_privacy, access_control
- **Credibility**: unverified
- **Published**: 2026-04-18 23:22:25
- **ID**: 70844
- **URL**: https://whisperx.ai/en/intel/70844