Fundamentals7 min read

Here Are the 7 Jobs Most at Risk of an AI Data Leak

Some jobs risk far more than a leak when they use consumer AI: healthcare, law and finance lead. Here are the 7 most exposed jobs, and the fix they share.

By Pierre de ONYRI

Some jobs risk far more than a simple leak when they use consumer AI. The rule is simple. The more sensitive or regulated the data, the higher the risk. Healthcare leads, with patient records. Law and finance follow closely. Here are the seven most exposed jobs, ranked by data sensitivity. And the good news: the fix is the same for all of them.

The ranking at a glance

The ranking follows a clear logic. We rank by the sensitivity of the data handled. Health data or a professional secret weighs more than a marketing list. The fix does not change from one job to the next. It means removing sensitive data before you send it, which ONYRI Sanitize automates in the browser.

Here is the ranking, from most to least exposed:

  1. 1Healthcare — patient records and medical data. The most protected information there is.
  2. 2Legal — professional secrecy, contracts and confidential client files.
  3. 3Finance and accounting — statements, tax IDs and named salaries.
  4. 4HR and recruiting — staff files and applications, rich in personal data.
  5. 5Developers — code, API keys and technical secrets pasted to move fast.
  6. 6Customer support — customer data and tickets, handled all day long.
  7. 7Marketing — lists and campaign data, often pasted without a second thought.

Here are the same seven jobs, in a table.

RankJobWhy
1HealthcarePatient data (PHI); consumer ChatGPT is not HIPAA compliant
2LegalProfessional secrecy; the ABA requires the client's informed consent
3Finance / accountingStatements and tax IDs, named data that is heavily regulated
4HR / recruitingStaff and candidate files; every field needs a legal basis
5DevelopersCode, API keys and secrets; one maker banned the tool after leaks
6Customer support40% of files uploaded to AI contain personal data
7MarketingCustomer lists pasted from unmanaged personal accounts
Consumer AI accounts. After The HIPAA Journal, the LayerX report (The Register) and Euronews. The fix is common to all seven: anonymize before sending, which ONYRI Sanitize does in the browser.

The top of the ranking: regulated professions

Let's start at the top: healthcare. Doctors, nurses and clinics handle patient data. It's the most protected information there is. Yet consumer ChatGPT is not compliant with the US HIPAA law. OpenAI will not sign the required agreement (the Business Associate Agreement) for its consumer versions. So entering Protected Health Information is not permitted, even if nothing leaks afterward. We cover the steps in our guide to anonymizing patient data before AI.

Next comes law. Lawyers are bound by professional secrecy. They handle contracts and confidential client files. The American Bar Association made this clear in its Formal Opinion 512, issued on July 29, 2024. A lawyer must keep confidential all information relating to a client's matter. They must understand how the AI tool uses their input. And they must get the client's informed consent before entering confidences. Boilerplate consent in an engagement letter is not enough. Our article on AI for law firms develops this point.

Finance and accounting close the top of the ranking. Bank statements, tax IDs, salaries: this data is personal and heavily regulated. Italy's regulator, the Garante, showed this in December 2024. It fined OpenAI 15 million euros. The reason: personal data processed without an adequate legal basis to train ChatGPT, and a lack of transparency. We explain how to protect this data in our article for accountants.

Two-part diagram: at top, several job cards (dark) leak sensitive data in the clear (amber) toward an exposed document marked with a cross; at bottom, the same jobs send only tokens (cobalt), with a green checkmark — anonymized data.
After The HIPAA Journal, the LayerX report (The Register) and Euronews. Settings don't cover the content; only anonymizing before sending protects it.

The daily risk: HR, developers, support, marketing

Let's step down a level. HR and recruiting handle staff files and job applications. Name, address, tax number, health, reviews: the file is very rich. Every field is personal data that needs a legal basis. Our guide explains how to anonymize HR data before AI.

Developers come next. They paste code, API keys and secrets into AI to move fast. The risk is real and documented. In 2023, a major electronics maker, Samsung, banned ChatGPT for its employees. The reason: engineers had pasted chip source code and the content of an internal meeting. It happened within roughly twenty days. The security firm Cyberhaven measured the pattern. Sensitive data made up about 11% of what employees pasted into ChatGPT. And nearly 4% of employees had pasted sensitive company data at least once. Our guide shows how to paste code without leaking secrets.

Customer support follows. Agents handle customer data and tickets all day long. The LayerX report is telling. 40% of files uploaded to generative AI sites contain personal or payment data. And 82% of pastes come from unmanaged personal accounts. The company then has almost no visibility into what leaves. Our article covers customer support without exposing customer data.

Marketing closes the ranking, without being out of danger. Teams handle customer lists and campaign data. Segments, emails, purchase histories: all of it is still personal data. Pasting a list into AI to draft a message feels harmless. It isn't. Our guide explains how to use AI in marketing without exposing client data.

How to use this

The seven jobs share one risk. They entrust sensitive data to an external AI. So they also share the same fix. Remove the sensitive data before you send it, whatever your job.

  • Healthcare and law: never enter patient data or client secrets in the clear.
  • Finance and HR: remove names, tax IDs and salaries before sending.
  • Developers: mask API keys, secrets and credentials in your code.
  • Support and marketing: never send a raw list or ticket.
  • For regular use, anonymize at the source, in the browser.

That's what ONYRI Sanitize is for. The engine detects sensitive data and replaces it with reversible tokens before sending. Detection and the token↔value mapping stay in your browser. Only anonymized text reaches the tool. Whatever your job, the AI finds only tokens — not your real information.

Frequently asked questions

What jobs are most at risk of an AI data leak?
The most exposed handle the most sensitive or regulated data. Healthcare leads, with patient records. Then come law, finance, HR, developers, customer support and marketing. The more sensitive the data, the higher the risk. The fix is common: anonymize the data before you send it.
Is ChatGPT HIPAA compliant for healthcare?
No, not in its consumer versions. They don't offer the required safeguards or the mandatory agreement (the Business Associate Agreement). OpenAI will not sign that agreement for consumer ChatGPT. So entering Protected Health Information is not permitted, even if nothing leaks afterward.
Can a lawyer use ChatGPT with client information?
With caution. The American Bar Association's Formal Opinion 512 makes this clear. The lawyer must keep the information confidential, understand how the tool uses their input, and get the client's informed consent. Boilerplate consent is not enough. Anonymizing data before sending sharply reduces this risk.

Sources & references

Keep your sensitive data in your browser

ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.

Anonymize my prompt

Read next