The Hidden Journey of Patient Data
Healthcare organisations know where their patient data lives. They have EHR systems, data warehouses, backup protocols, and storage architectures. Most can name the platforms, point to the documentation, and demonstrate storage compliance on demand.
What they typically cannot do is answer the harder question: where does that data go once it leaves the point of collection?
Who accessed the oncology records at 11pm last Tuesday? Which analytics vendor processed lab results before they appeared in the clinical dashboard? Which AI model was trained on patient records collected three years ago, and does the data governance documentation still reflect that arrangement? When patient data moved from the EHR into the cloud analytics platform last quarter, did the access controls travel with it?
These are not edge cases or hypothetical compliance scenarios. They are the daily operational reality of modern healthcare data infrastructure. And for most organisations in Europe, they remain unanswered.
Healthcare's Data Challenge Has Shifted
Electronic Health Records solved the collection problem. Most European hospitals now operate with standardised EHR platforms. Cross-border interoperability is progressing through the European Health Data Space framework.
But solving the collection problem has created a different and far less visible one. Patient data no longer stays in a single system. It moves. It flows from EHRs into data warehouses, analytics platforms, and population health tools. It is processed by third-party billing operators and clinical decision support engines. Increasingly, it feeds AI and machine learning systems whose data governance requirements are only now crystallizing into enforceable law.
The data journey has lengthened considerably. The organisational visibility into that journey has not kept pace.
This is not primarily a security problem, though the exposure risk is real. It is a governance problem: the gap between what organisations have documented as policy and what is actually happening to patient data across an expanding ecosystem of systems, vendors, and AI applications. Most healthcare organisations do not have a policy problem. They have a verification problem.
Three Regulatory Clocks Are Now Running
For European healthcare CIOs and CDOs, data visibility is not an operational preference. It is a regulatory obligation with a tightening timeline.
GDPR remains the baseline. Data protection authorities across 27 EU member states have issued 265 fines totalling approximately EUR 32.3 million against hospitals, pharmacies, and healthcare providers. The number of new healthcare fines issued in 2025 is 26% higher than the previous reporting period. The most common reason: insufficient technical and organisational measures. Not missing policies. Unverified controls.
The European Health Data Space regulation now creates formal obligations for how patient data flows beyond the point of care. Under EHDS, health data can reach Health Data Access Bodies, researchers, and third-party innovators through secondary use frameworks. Each new pathway creates new access events. Each access event requires documented, governed accountability. For organisations that cannot trace their existing internal data flows, adding EHDS-mandated secondary use channels is a risk architecture problem being layered on top of an existing visibility gap.
The EU AI Act, fully applicable for high-risk AI systems from August 2026, places explicit data governance requirements on the training, validation, and testing datasets used in healthcare AI. The question organisations will need to answer is no longer whether they have a data governance policy. It is whether they can prove what data their AI systems trained on, who had access to that data, and whether that access was properly governed at the time.
When Data Moves Beyond the Organisation's Line of Sight
In February 2024, France experienced its largest-ever healthcare data exposure. The breach did not occur inside a hospital. It occurred at Viamedis and Almerys, two third-party health insurance payment processors, whose systems were accessed after a phishing attack on a single employee account. The result: 33 million people's personal and social security data exposed, nearly half the population of France.
This is exactly the visibility failure in practice. The data had moved from healthcare providers to third-party processors. The governance obligations had also moved, contractually, through Data Processing Agreements required under GDPR. But a signed DPA is not the same as verified governance. Provable governance requires continuous visibility into what data third parties can access, how they are handling it, and whether the agreed controls are actually enforced in practice, not merely documented on paper.
The NHS-DeepMind case reinforces the same point at the intersection of healthcare and AI. In 2015, 1.6 million patient records at the Royal Free London NHS Foundation Trust were shared with DeepMind for clinical application development. The UK's Information Commissioner's Office subsequently determined that the arrangement failed data protection requirements. Cambridge researchers described it as a cautionary tale for any institution sharing sensitive data with technology partners. The accountability gap was discovered retrospectively, not proactively.
Both cases follow the same pattern: data moved, governance did not keep pace, and the consequences were understood only after the fact.
AI Is Silently Expanding the Exposure Surface
AI is not a future consideration for healthcare governance teams. It is a current operational condition.
And yet, according to the 2025 symplr Compass Survey, 86% of healthcare IT executives report instances of shadow IT in their health systems, unauthorised applications operating outside established visibility frameworks. Shadow AI, where clinical or operational teams deploy AI tools that access patient data without the knowledge of the governance function formally accountable for it, is a specific and growing subset of that problem.
AI systems that process patient data create governance obligations under EU AI Act. But organisations cannot govern AI systems they cannot see. They cannot document training data provenance for models deployed through channels outside their visibility. They cannot enforce data access policies for systems that were never part of the formal procurement or governance process.
AI governance, in practice, starts with data visibility. Organisations that cannot trace patient data flows across their ecosystems cannot meaningfully govern the AI systems that depend on that data.
From Policy to Provable Control
The traditional healthcare compliance model relies on documentation: policies, data processing agreements, data classification inventories, audit logs reviewed periodically. This model assumes that healthcare data ecosystems are relatively stable, that documentation reflects current reality, and that periodic review is sufficient.
None of those assumptions hold reliably in an environment of continuous EHR integrations, evolving analytics platforms, expanding third-party vendor relationships, and accelerating AI deployment.
The regulatory convergence in Europe is demanding something different. The EHDS, the AI Act, and GDPR enforcement are not asking for documentation. They are asking for provable, continuous evidence of how patient data is handled across the full data journey: who has access, under what conditions, and whether governance obligations are actually met in the systems themselves, not just described in the policies.
Healthcare CIOs and CDOs who close this gap first will answer regulator questions without scrambling. They will onboard AI systems with documented data lineage rather than retroactive explanation. They will demonstrate to auditors, patients, and policymakers that their governance reflects operational reality, not aspiration.
The data journey in modern healthcare has never been simple. What has changed is the regulatory and organisational cost of not being able to trace it.
You cannot govern what you cannot see.
