Traditional perimeter security measures, such as Web Application Firewalls (WAFs) and static analysis, often fail to detect logic-based vulnerabilities in healthcare Application Programming Interfaces (APIs), creating significant risks for patient data confidentiality. Addressing the scarcity of empirical performance evaluations in this domain, this study employs a grey-box controlled experimental design to assess the effectiveness of automated HTTP fuzzing against a production-grade mobile health application ("Application X"). Using the FFUF tool configured with sequential identifier injection, status-code filtering, and hidden-field probing, the experiment tested 33 endpoints against the OWASP API Security Top 10 2023 benchmarks. To ensure data reliability, a rigorous multi-step validation protocol including replay testing and environmental noise elimination was applied to filter false positives. The results identified 88 distinct vulnerabilities distributed across six categories, with a critical dominance of Security Misconfiguration (API8) and Broken Object Property Level Authorization (API3). Analytically, the high prevalence of API3 reveals a systemic failure in backend serialization, where sensitive fields  including password hashes and internal administrative flags were exposed due to the absence of Data Transfer Objects (DTOs), contradicting the assumption of secure client-side filtering. Limitations of this study include the restriction to a single patient-role perspective and the exclusion of third-party integrations. The study concludes that automated fuzzing is superior to static analysis in detecting runtime data leakage and recommends mandatory Server-Side Output Filtering through explicit DTOs as a critical standard for secure health API development and data privacy compliance.

API Security; Excessive Data Exposure; Fuzzing; Healthcare Application; OWASP Top 10