Expired clinic access exposes identity lifecycle risk in healthcare

At a glance

What this is: A healthcare offboarding lapse let a former nurse keep working access and attempt a records lookup, exposing identity lifecycle failure.

Why it matters: It shows that lifecycle control failures can undermine compliance, patient privacy, and access governance across human, NHI, and delegated identity programmes.

By the numbers:

• 15% to 30% in just one year.

👉 Read SailPoint's Facepalm Files post on lingering healthcare access and offboarding

Context

Identity lifecycle failure is what happens when access outlives the relationship that justified it. In this case, a former healthcare worker still had a valid login a year after leaving, which turned a routine records request into an access governance problem.

Healthcare makes the risk easier to see because records access is tightly regulated and identity handoffs are common, but the underlying issue is broader. Any programme that cannot reliably offboard people, contractors, or other identities is leaving active access in place after accountability has ended.

Key questions

Q: What breaks when offboarding fails for regulated systems?

A: When offboarding fails, a former user can still authenticate into systems that should have been closed to them, which creates privacy, audit, and compliance exposure. The problem is not only stolen access. It is retained access that stays valid after the relationship ends, which means the organisation has lost control of its identity lifecycle.

Q: Why do stale accounts create more risk than teams expect?

A: Stale accounts create risk because they preserve a working path into production systems even when nobody is actively monitoring the identity anymore. That can lead to unauthorised record access, data misuse, and failed audits. The larger issue is that inactive or departed identities often escape normal operational attention until they are used.

Q: How do security teams know whether lifecycle governance is actually working?

A: Lifecycle governance is working only when identity termination is verified end to end, including downstream applications, federated access, and privileged exceptions. If an ex-employee, contractor, or former partner can still sign in, the programme is not controlling identity state. Audit results should be tested against real account status, not policy intent.

Q: Who is accountable when a former worker still has access to sensitive records?

A: Accountability usually sits with both the business owner of the identity and the teams responsible for provisioning and deprovisioning. In regulated environments, that includes IAM, IGA, security operations, and the application owner. If access remains active after departure, the control owner failed to enforce the lifecycle boundary.

Technical breakdown

Why lingering access persists after offboarding

Lingering access usually appears when joiner-mover-leaver processes are incomplete, ownership is unclear, or manual exceptions are never cleaned up. In practice, the identity remains technically valid even after the business relationship has ended, which means access reviews may look correct while real-world entitlement state is already stale. Healthcare environments are especially exposed because staff move between facilities, vendors, and shifts, creating many chances for missed revocation. This is not an authentication problem. It is a lifecycle control failure that leaves a legitimate credential active beyond its intended purpose.

Practical implication: tie offboarding to authoritative source events so access is revoked when employment or engagement ends.

Why delegated access can become a compliance violation

The nurse’s behaviour was not malicious, but it still created a policy breach because identity controls were not aligned to current authorization. Compliance frameworks care about whether access is appropriate at the time it is used, not whether the user meant well. That distinction matters in healthcare, where record access often depends on role, organisation, and patient consent. When a former employee can still authenticate, the control gap is not in the workflow request. It is in the retention of an identity that should already have been terminated.

Practical implication: validate that privileged and regulated-system access is removed before a person or contractor is fully offboarded.

How access reviews miss stale identity state

Access recertification can fail when reviewers examine entitlements on paper but never verify whether the identity should still exist at all. That creates a false sense of control, because a dormant account may still pass periodic checks if the process assumes the account holder is still in scope. In this case, the useful question is not whether the nurse should have had record access during a shift. It is why a departed identity remained available long enough to be used at all. That is the governance gap lifecycle management is meant to close.

Practical implication: review both account existence and current business relationship, not just entitlement lists.

Threat narrative

Attacker objective: The objective was to retrieve patient records using access that should already have been revoked.

1. Entry occurred through a retained login that still authenticated a former nurse after she had left the prior health system.
2. Credential access was not stolen but reused legitimately, which meant the active account bypassed normal offboarding enforcement.
3. Impact would have been unauthorized patient-record retrieval and a potential compliance violation if the request had proceeded.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity lifecycle governance fails when access outlives accountability. This case is not about a sophisticated exploit. It is about a former worker still being able to exercise access after the business relationship had ended, which is exactly the condition lifecycle controls are supposed to prevent. The lesson for IAM and IGA teams is that entitlement review is not enough if revocation is not tied to the authoritative end of relationship. Practitioners should treat stale access as a live control failure, not an administrative cleanup task.

Healthcare shows why offboarding must be treated as a regulated control, not an HR afterthought. The environment combines time pressure, rotating staff, third-party labour, and sensitive data access, which makes delayed deprovisioning especially risky. Once a former identity can still reach a clinical system, the organisation has already lost the control boundary, even if the user acts in good faith. The practitioner takeaway is that offboarding logic must be tested against regulated workflows, not just general user exits.

Standing access is the underlying failure mode here, not just poor process hygiene. This is a classic example of unrevoked identity persistence, where access remains usable after the relationship that created it has ended. That failure mode spans humans, contractors, service accounts, and now AI-mediated delegation if organisations allow identities to persist beyond their purpose. Practitioners should look for any control that assumes access disappears automatically when intent changes, because that assumption is false.

Former-identity reuse should be treated as a governance signal, not a one-off anecdote. When a departed user can still authenticate, the programme is telling you that termination, revocation, and periodic review are not operating as one lifecycle. That breaks the assurance model for access governance and can undermine audit confidence even before any data is exposed. Security leaders should interpret these events as evidence of a broader identity inventory problem.

The same lifecycle weakness will surface in NHI programmes if teams copy human processes unchanged. Service accounts, tokens, and delegated access paths do not age out by themselves any more than a former employee does. If the organisation cannot reliably terminate a human account, it is unlikely to handle non-human identities better without explicit lifecycle ownership. The practitioner conclusion is simple: identity governance must be relationship-aware, not account-aware.

From our research:

• Breaches involving third-party and non-employee access doubled from 15% to 30% in just one year, according to 52 NHI Breaches Analysis.
• Another signal: Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 52 NHI breaches Report.
• Forward view: As lifecycle gaps spread across human and non-human identities, teams should use Ultimate Guide to NHIs to harden termination, rotation, and ownership controls.

What this signals

Stale identity state is becoming a programme-level control issue, not a case-by-case exception. Once a former employee can still authenticate, the organisation has evidence that its lifecycle boundary is softer than its policy language suggests. That is exactly how access drift becomes normalised across human identities and later replicated in contractor and machine-account governance.

With 72% of organisations reporting or suspecting an NHI breach, the lesson from human offboarding is directly transferable to machine identity governance. The same failure pattern appears when credentials are left active after their operational purpose ends. Practitioners should treat termination, revocation, and exception handling as one continuous control path rather than separate processes.

Identity programmes that can prove revocation, not just request closure, will be better positioned to absorb AI-mediated delegation and service-account sprawl. The governance question is whether an identity remains usable after trust has expired, which is why lifecycle controls need evidence quality as much as policy coverage. For background on the lifecycle side of that control set, see Ultimate Guide to NHIs.

For practitioners

• Bind offboarding to authoritative termination events Remove access automatically when employment, contract, or clinical assignment ends, and verify that the revocation touches every system that can expose regulated records.
• Audit dormant identities for still-working logins Look for accounts that remain active after role change or departure, especially in systems that handle patient data, because stale access often survives on exception paths.
• Separate approval for records retrieval from authentication state Require that current business relationship be validated before any access to protected records proceeds, rather than assuming a valid login is sufficient.
• Test offboarding against regulated workflow scenarios Run lifecycle drills that follow a real user exit through every downstream application, interface, and delegated access path to confirm that no retained access remains.

Key takeaways

• The core risk is not malicious misuse but retained access after the relationship ended, which turns ordinary admin work into a governance failure.
• The scale signal is clear: third-party and non-employee access incidents have doubled, showing that lifecycle gaps are no longer edge cases.
• The control that matters most is verified offboarding across every downstream system, because a valid login should never outlive accountability.

Key terms

• Identity lifecycle: Identity lifecycle is the process of creating, changing, reviewing, and removing access as a person or system’s relationship to the organisation changes. In practice, it depends on clean joiner-mover-leaver events, accurate ownership, and reliable revocation so access does not survive its business purpose.
• Offboarding: Offboarding is the controlled removal of access when a person, contractor, or other identity leaves a role or relationship. It is not just account closure. It also includes downstream applications, federated access, privileged exceptions, and any retained credentials that can still authenticate after departure.
• Standing access: Standing access is permission that remains continuously available instead of being granted only when needed. For identity governance, it creates exposure because the access can persist long after the original justification has ended, especially when deprovisioning and review processes are incomplete.
• Lifecycle governance: Lifecycle governance is the discipline of managing identity state from onboarding through removal so access remains aligned to current authority. It applies to human users, service accounts, and other non-human identities, and it succeeds only when revocation, review, and ownership are enforced together.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Blog Facepalm Files, on a nurse retaining access after leaving a health system. Read the original.