How a Global Healthcare Company Shifted Beyond DLP to Govern AI

A large US healthcare services organization, a Microsoft E5 deployment with DLP rules in place, and a category of sensitive data flowing into AI tools that the existing controls had no way to detect. The data was personal. The use case was entirely legitimate. And none of it looked like anything a pattern-matching rule was built to find.

The Starting Position

The argument for enterprise DLP is straightforward in principle: classify your sensitive data, define rules that recognize it, apply controls that stop it from leaving. It’s a reasonable framework when the data you need to protect has a recognizable structure. Social Security numbers have a format. Credit card numbers have a checksum. Dates of birth in standard forms match a pattern.

Most organizations discover, at some point, that the most sensitive data they hold does not have a recognizable structure. It’s text. It’s narrative. It’s professional judgment written in plain language, and it carries no classification label and matches no regex rule.

This organization encountered that problem directly when they looked at how staff were using AI tools in their care operations.

Employees working with bereaved families were using Microsoft Copilot to help write obituaries. This was not a policy violation and not a rogue use case. It was a reasonable, productivity-driven application of a tool the organization had deployed. Writing obituary content is time-consuming and emotionally demanding work, and AI assistance made it faster and less burdensome on staff handling a difficult function.

The problem was the data going into those prompts.

What E5 Could Not Detect

The organization had invested substantially in Microsoft's security stack. Microsoft Purview, under an E5 license, provided DLP coverage across Microsoft 365. The rules in place looked for structured sensitive data types: Social Security numbers, financial account formats, defined health data classifications, and other patterns that Purview's out-of-box policies are designed to catch.

What those rules could not catch was a prompt that read, in substance: a request to write an obituary for a named individual, with details of their age, the circumstances of their death, their surviving family members, the location of the service, and any personal details the employee had gathered from the family in their care work.

That prompt contains no Social Security number. No account number. No recognized health data field. What it contains is deeply personal information about a deceased individual and their bereaved family: names, ages, family relationships, personal circumstances, details of death, service arrangements. Under HIPAA and broader privacy obligations, this data warrants careful protection. Under the terms of the care relationship the organization holds with the families it serves, the expectation of confidentiality is explicit.

The pattern-matching rules in place had no path to identifying this as sensitive. The content does not match a structure; it is a description of a human life written in natural language, and its sensitivity is entirely semantic.

The Proof of Value

Harmonic was deployed via browser extension across the care operations workforce. Silent monitoring ran first, establishing a baseline of real behavior before any controls were introduced.

The findings confirmed the scale of the gap. Across the proof of value window, prompts containing unstructured personal data about individuals in the organization's care appeared across multiple AI platforms. The events ranged from partial information (a name and age without family details) to fully identifying content including all the elements a family had shared during their initial contact with the organization.

Critically, zero of these events were detected by the Microsoft E5 DLP rules in place. The same content that Harmonic's small language models flagged consistently produced no alerts in Purview. The gap was not a configuration issue; it was structural. Purview is built to find patterns. The content in question had none.

The findings also showed that the AI platforms in use extended beyond Copilot. Staff were using other browser-based AI tools, several of them without enterprise agreements, some operating under terms that permit use of submitted data for model training. For an organization handling personal data about individuals at one of the most sensitive moments of their lives, the implications of that data entering a training pipeline were serious.

Unstructured personal data about individuals in care detected across AI platforms

Zero of the same events detected by existing Microsoft E5 DLP rules

Multiple non-Copilot platforms in active use, several without enterprise data handling agreements

How Small Language Models Fill the Gap

The distinction between pattern-based and semantic detection is not subtle in cases like this. A DLP rule looks at whether content matches a format. A small language model looks at what the content says.

Harmonic's models are trained to understand the sensitivity of professional content across categories including healthcare, legal, financial, and personal information. When a model reads an obituary-writing prompt, it identifies the personal data present from the meaning of the text rather than from any structural marker. It understands that a name combined with a death context and family details constitutes sensitive personal data even without a labeled field or a matching format.

This is the same capability that makes Harmonic effective across other unstructured sensitive data categories: source code, strategy documents, client correspondence, employment records. In each case, the sensitivity is in what the text says, and identifying it requires a model that can read.

Moving to Responsible AI Use in Care Operations

The organization's objective was not to stop staff using AI for obituary writing. The productivity benefit was genuine, and removing it would have made a difficult role harder. The objective was to enable the use case while protecting the people whose information was involved.

Following the proof of value, Harmonic was deployed across care operations covering both browser-based AI tools and, via the endpoint agent, desktop AI applications in the workflow.

Controls were calibrated to the obituary workflow specifically. Prompts containing detected personal data categories in a care context are intercepted before submission. The user-facing intervention does not block the task; it guides the user toward approaches that accomplish the same goal without including identifying personal information. In practice, this means prompting staff to describe the structure and tone required without pasting in personal details, or to use the AI for template and language work and apply the personal information after the fact.

The approach preserves the productivity benefit the tool was being used for. It protects the individuals whose data was flowing through it without their knowledge. And it closes the gap that Microsoft E5 could not close, because the gap was never one that pattern matching could reach.

The Outcome

The organization moved from a position where a legitimate and widespread AI use case was creating significant data exposure that the entire existing security stack was missing, to one where that use case is supported, monitored, and governed. Staff continue to use AI assistance in their care work. The personal data of the individuals they serve stays protected.

For an organization whose entire business is built on caring for people at their most vulnerable, the distance between those two positions is not a compliance checkbox. It’s a fundamental obligation.

To find out more or discuss how this could apply to your organization, visit harmonic.security or get in touch with the team directly.