In the era of rapid technological advancement, the Internet of Things (IoT) has revolutionised healthcare through systems like the Telecare Medicine Information System (TMIS), designed to streamline patient-doctor interactions and enhance medical treatment. However, the transmission of sensitive patient data over inherently insecure Internet channels exposes it to a spectrum of security risks. Protecting patient medical privacy and ensuring system reliability necessitate mutual authentication between both patients and medical servers. TMIS relies on robust authentication mechanisms, and combining passwords and smart cards has been a recognised approach for mutual authentication. This research introduces an innovative three-factor authentication technique with perfect forward secrecy by leveraging the power of Elliptic Curve Cryptography (ECC) in tandem with smart cards. Additionally, we have incorporated biometric authentication with a Fuzzy Extractor technology to enhance the security and reliability of the system, setting a new standard for user authentication within the realm of Social IoT healthcare. The use of ECC in the method is justified due to its compact key size and robust security measures, making the solution both efficient and secure. The proposed method safeguards user privacy by permitting registered users to change their passwords without divulging their identity to the server. The Burrows–Abadi–Needham logic (also known as the BAN logic) serves as a proof-of-concept for the proposed scheme’s security. Our system provides privacy protection along with mutual authentication and session key negotiation at a considerably low computation cost and communication cost of up to 71.03% compared to the other four relevant techniques, making it more useful in real-world scenarios.