Last week, a member of the Scatter Spider threat group — responsible for high-profile attacks on MGM Resorts, Caesars Entertainment, and a string of other major organizations — was caught. One of the contributing data sources was Windows Telemetry. The arrest sparked a sharp debate in the security community on X, with practitioners split: some celebrated telemetry as a legitimate law enforcement tool, others pushed back that the security community had been warning about this data collection for years and shouldn't be surprised it cut both ways.
UK security researcher Daniel Card (@UK_Daniel_Card) put together a detailed post and accompanying PowerShell tool documenting exactly what Windows telemetry collects, how to audit it, and how to harden it. His work is the empirical foundation of this post. The arrest of a criminal is a good outcome. What it also surfaced — and what is directly relevant to healthcare security teams — is how much data Windows devices are transmitting by default, and what that means for clinical workstations that may be touching PHI every minute of every shift.
What Windows Telemetry Actually Collects
Most security discussions about Windows telemetry focus on general privacy concerns. For healthcare, the conversation needs to be more specific: which default-enabled settings create a PHI exfiltration pathway, and which clinical workflows are most exposed?Daniel Card's tool audits 54 Windows settings across telemetry, error reporting, cloud content, activity history, privacy, AI, cloud sync, search, suggestions, location, SmartScreen, and scheduled tasks — plus browser-level settings for Edge and Brave. The majority are enabled by default. The table below draws from his audit output, ranked by PHI exfiltration risk in clinical environments.
Data source: Windows telemetry audit tool by Daniel Card (@UK_Daniel_Card). Settings sourced from his July 2026 PowerShell audit output. Risk ratings reflect healthcare-specific PHI exposure assessment, not general privacy risk.| Setting | Category | Risk | Healthcare / PHI Concern |
|---|---|---|---|
| Windows Recall (AI Data Analysis) | AI | Critical | Continuous screenshot and OCR of all on-screen content including EHR sessions, clinical notes, patient records, and medication orders. Stored locally but syncs to Microsoft cloud. Highest PHI exfiltration surface on a clinical workstation. |
| Cross-Device Clipboard (Cloud) | Cloud Sync | Critical | Clipboard contents — copied MRNs, patient names, medication lists, lab values — synced to Microsoft cloud and shared across signed-in devices. Direct PHI transmission vector on shared clinical workstations. |
| Clipboard History | Cloud Sync | Critical | Persists clipboard contents across sessions. On shared clinical workstations, clipboard history from one user's session is accessible to the next. MRNs, order details, and clinical notes remain in history until manually cleared. |
| Implicit Ink Collection | Privacy (User) | Critical | Captures stylus and handwriting input for personalization. On tablet workstations, captures clinical annotations, order signatures, and handwritten notes transmitted to Microsoft servers. |
| Implicit Text Collection | Privacy (User) | Critical | Captures typed text for personalization. Includes free-text clinical documentation, search queries, and EHR field entries transmitted to Microsoft servers character-by-character. |
| Online Speech Recognition | Privacy (User) | High | Transmits audio to Microsoft cloud for recognition. Clinical dictation workflows and voice commands on patient care workstations send patient-identifiable speech externally. |
| Linguistic Data Collection | Privacy (User) | High | Collects contacts, calendar entries, and typed content for language model improvement. Clinical devices synced to organizational calendars containing patient scheduling information are in scope. |
| Connected User Experiences and Telemetry | Service | High | Core Windows telemetry service. Memory dumps from EHR application crashes transmitted in diagnostic reports may contain in-memory PHI loaded at time of crash. |
| Publish / Upload User Activities | Activity History | High | Uploads Windows Timeline activity history to Microsoft cloud including application usage and document access. Clinical application activity and document filenames visible in synced timeline. |
| Windows Copilot | AI | High | AI assistant with access to on-screen context and clipboard. Without explicit BAA coverage for Copilot interactions, staff using Copilot for clinical documentation tasks may transmit PHI to Microsoft AI infrastructure. |
| Search Box Web Suggestions | Privacy (User) | Medium | Transmits Start menu search keystrokes to Bing in real time. Staff searching patient names or MRNs via the Start menu transmit those strings to Microsoft before a result is selected. |
| Error Reporting (WER) + Additional Data | Error Reporting | Medium | Crash reports include memory dumps. EHR or clinical application crashes produce reports that may contain patient records or session data loaded in application memory at crash time. |
| Browser Telemetry — Edge (all 13 defaults) | Browser | Medium | Diagnostic data, search suggestions, and network prediction all enabled. Web-based EHR systems accessed via Edge generate browsing telemetry. Search suggestions transmit URL fragments and typed queries in real time. |
| Settings Sync | Cloud Sync | Medium | Syncs browser history, saved passwords, and settings across devices via Microsoft account. On shared workstations, can merge clinical browsing history across personal and work device profiles. |
| Delivery Optimization P2P | Network | Low | Uses clinical workstations as P2P upload nodes for Windows Update delivery. A network boundary concern — clinical devices participate in external update distribution traffic. |
The Scatter Spider Connection — and What It Reveals
The Scatter Spider arrest is a useful entry point into this conversation precisely because it demonstrates something the security community has debated abstractly for years: telemetry data is operationally significant. It creates a persistent behavioral record that survives the actions threat actors take to cover their tracks. In the Scatter Spider case, that record contributed to an arrest. In a healthcare organization that has not audited its clinical workstation telemetry configuration, that same record is being created every day — and flowing to Microsoft's infrastructure rather than to a law enforcement investigation.The debate that erupted on X following the arrest was not really about whether catching criminals is good. It was about whether organizations — including healthcare organizations — fully understand what they are transmitting, to whom, under what terms, and with what BAA coverage. The honest answer for most mid-sized health systems is no. Default Windows configurations have never been designed with HIPAA minimum necessary principles in mind. They were designed for consumer convenience and Microsoft's product improvement objectives.
Daniel Card's response to the debate was practical rather than polemical: here is exactly what is enabled by default, here is how to audit it, and here is how to harden it. That framing is the right one for healthcare security teams. The question is not whether telemetry is inherently good or bad. The question is whether your clinical workstations are transmitting PHI to destinations not covered by your BAA, without your knowledge, and without your patients' meaningful authorization.
The HIPAA Framework for This Problem
The HIPAA Security Rule does not prohibit telemetry. It requires covered entities to implement reasonable and appropriate administrative, physical, and technical safeguards to protect ePHI, to conduct accurate and thorough risk assessments, and to implement policies and procedures to prevent, detect, contain, and correct security violations.Three provisions apply most directly to the telemetry risk:
Risk Analysis (§164.308(a)(1))
The Security Rule requires a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Windows telemetry transmitting clipboard contents, typed text, speech audio, and Recall screenshots from clinical workstations is a risk. If your most recent risk analysis does not include workstation telemetry configuration as an assessed risk, your analysis has a gap — and OCR has made clear that gaps in risk analysis are enforcement targets.Minimum Necessary (§164.502(b))
The minimum necessary standard requires covered entities to make reasonable efforts to limit PHI use and disclosure to the minimum necessary to accomplish the intended purpose. Windows Recall capturing continuous screenshots of EHR sessions and transmitting OCR text to Microsoft's cloud is not minimum necessary for any clinical purpose. It is a default-enabled feature that requires affirmative action to disable — and most clinical workstations have never received that action.Business Associate Agreements
Microsoft's standard Windows licensing does not constitute a BAA for telemetry data. Microsoft offers a HIPAA BAA that covers specific Microsoft cloud services — primarily Azure, Microsoft 365, and Dynamics 365 — under defined terms. The BAA does not automatically cover all data transmitted by Windows operating system telemetry components. Healthcare organizations that have signed a Microsoft BAA should verify specifically which telemetry destinations and data types are covered under that agreement, and which fall outside it.The AI Features Are the New Frontier
Two entries in the risk table deserve extended discussion because they represent a materially new category of risk that did not exist in prior Windows versions: Windows Recall and Windows Copilot.Windows Recall
Recall is a Windows 11 feature that takes periodic screenshots of everything on screen, runs OCR on the resulting images, and creates a searchable local database of everything the user has seen on their device. Microsoft initially designed Recall to sync to the cloud; following significant privacy criticism, local-only storage became the default. However, the feature remains enabled by default, and the local database it creates is a comprehensive record of every EHR session, every patient record viewed, every clinical note opened, and every medication order displayed on that workstation — stored in a queryable format that persists until explicitly deleted.For a threat actor who gains access to a clinical workstation — whether through a phishing email, a stolen credential, or physical access — the Recall database is a ready-made record of months of clinical activity. The arrest of the Scatter Spider member demonstrated that persistent behavioral records create investigative value. The same logic applies to an attacker reading the Recall database: they do not need to wait for the clinician to be active. They can query the history.
Windows Copilot
Copilot's on-screen context access means that staff using Copilot to help draft clinical documentation, summarize a patient's recent visit, or answer a clinical question are potentially transmitting that content to Microsoft's AI processing infrastructure. Whether that transmission is covered under your existing Microsoft BAA depends on the specific terms of your agreement — and most healthcare organizations have not verified this explicitly.What This Means for Healthcare Security Teams
Workstation Hardening Needs a Telemetry Audit
Daniel Card's PowerShell tool provides an audit and hardening framework that translates directly to healthcare workstation management. The tool outputs a current-state assessment of all 54 settings, supports per-item toggle or full disable (the `D` command hardens all items simultaneously), and exports results to CSV for documentation. For healthcare organizations managing clinical workstations at scale through endpoint management platforms — Intune, SCCM, or similar — the tool's output maps to Group Policy objects and configuration profiles that can be deployed across a workstation fleet. The audit step should precede the hardening step: understanding which settings are currently active and which clinical workflows may depend on them prevents breaking dependencies before alternatives are in place.Recall and Copilot Require Explicit Policy Decisions
Recall and Copilot are not legacy defaults that predated HIPAA. They are features that Microsoft added to Windows 11 in 2024 and 2025, with default-enabled configurations. Healthcare organizations need explicit policy positions on both: is Recall permitted on clinical workstations, and if so, is the local database encrypted, access-controlled, and included in your data inventory? Is Copilot covered under your Microsoft BAA, and if so, under what use conditions? These are not questions that can be left at their defaults — they require affirmative governance decisions documented in your AI policy and acceptable use framework.Shared Workstations Are the Highest-Risk Profile
The clipboard history, activity timeline, and Recall features all have heightened risk profiles on shared clinical workstations — nurse stations, medication administration terminals, and shared provider workstations — because they accumulate data across multiple users and sessions. A clipboard history containing MRNs copied by the previous shift is visible to the current shift. A Recall database on a shared workstation captures the clinical activity of every user who has logged in. Hardening shared workstations is the highest-priority action item from this analysis, ahead of individually assigned devices.Browser Telemetry Is an Overlooked Surface
All 13 Edge browser telemetry settings are enabled by default, and most web-based EHR systems are accessed via Edge. Search suggestions, network prediction, and diagnostic data collection all generate telemetry from clinical browsing sessions. For health systems that have standardized on Edge for EHR access, browser telemetry policy belongs in the same workstation hardening review as operating system telemetry — not treated as a separate IT configuration item unrelated to HIPAA compliance.Your Risk Analysis Needs a Telemetry Line Item
If your most recent HIPAA Security Rule risk analysis does not explicitly assess workstation telemetry configuration as a risk to ePHI confidentiality, add it before your next OCR audit cycle. The combination of default-enabled Recall, clipboard sync, implicit text collection, and browser telemetry creates a documented, assessable risk pathway. Documenting it — and documenting the hardening actions taken to mitigate it — is both a compliance requirement and a defensible position if a breach ever involves a clinical workstation.The Bigger Picture
The Scatter Spider arrest is going to produce a short-lived discussion about whether telemetry is a feature or a liability, and that discussion will miss the point for most healthcare security practitioners. The operationally relevant question is not whether telemetry helped catch a criminal. It is whether your clinical workstations are operating within the HIPAA framework your organization has documented, or whether a significant volume of PHI-adjacent data is leaving your environment through default-enabled channels that your last risk assessment didn't account for.Daniel Card's contribution to this conversation is practical and well-timed: a specific, auditable list of what Windows collects by default, with a tool to assess and harden it. That kind of concrete, actionable work is what moves healthcare security programs from awareness to posture change. The telemetry debate on X will continue. The workstation hardening review is something you can complete this week.
This is entry #51 in the AI Security Series. For related coverage, see AI Security Series #49: Claude Code's Hidden Fingerprint — Steganographic Telemetry in a Privileged Tool.
Key Links
- Daniel Card (@UK_Daniel_Card): Windows Telemetry Audit Post and Tool (X/Twitter)
- Daniel Card (@UK_Daniel_Card): Follow-up Notes on Multi-User Devices and Admin Hives (X/Twitter)
- HHS: HIPAA Security Rule — Full Text and Guidance
- HHS: Minimum Necessary Guidance (§164.502(b))
- Microsoft: HIPAA and the Microsoft Cloud — BAA Coverage Reference
- Microsoft: Configure Windows Diagnostic Data in Your Organization
- CISA: HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework