Current privacy evaluations of medical language models are largely confined to verbatim memorization from training texts, lacking systematic analysis aligned with real-world clinical threats. This work proposes the first clinically oriented, tiered framework for assessing privacy leakage, differentiating between verbatim memorization and templated content based on adversarial access strength, and quantifying semantic leakage risks for sensitive diagnoses such as abortion and HIV. Through adversarial prompting, memorization detection, semantic analysis (measured by AUROC), and metadata-triggered attacks, we evaluate a model pretrained on 378k clinical notes. Our findings demonstrate that routine visit metadata can trigger high-probability, cross-temporal verbatim memorization—36% of which stems from templates—and significant sensitive information leakage, with AUROC scores of 0.91 for abortion and 0.81 for HIV.

Medical language models (LMs) can memorize and reproduce protected health information, but privacy evaluations often focus on recovery of training text rather than disclosure under realistic threat models. We introduce a clinically grounded framework that evaluates leakage along a graded axis of adversarial access, ranging from publicly inferable demographics to leaked note fragments. At each tier, we measure verbatim memorization of patient-specific text and semantic leakage of sensitive diagnoses. Applying the framework to an LM pretrained on 378k clinical notes, we find that routine encounter metadata (i.e. name, date of birth, provider, practice, visit date) elicits high rates of verbatim memorization across a patient's timeline and sensitive-diagnosis recovery (AUROC 0.91 for abortion, 0.81 for HIV). At the same time, exact-match memorization can overstate disclosure: 36% of memorized tokens reflect templated documentation. Our work highlights the risks of training on longitudinal clinical data, providing a practical framework for contextual privacy evaluation of medical LMs.