In Internet of Things (IoT)-based healthcare, sensor nodes are deployed to detect the patient’s physiological data in a wireless sensor network. In order to prevent unwarranted users from accessing the sensor network to obtain patients’ data, designing lightweight and privacy-preserving authentication protocols plays a crucial role. Many lightweight authentication protocols for IoT-based healthcare have been proposed in recent years, but most of them may suffer from one or more security problems. In particular, few protocols can resist sensor node-captured attacks and achieve n-factor secrecy, which leads to unauthorized personnel being able to access the patient’s physiological data and obtain patients’ privacy. Therefore, a lightweight and privacy-preserving authentication protocol for healthcare based on elliptic curve cryptography (ECC) and physical unclonable function (PUF) is proposed to surmount the above obstacles. We design a dynamic anonymity strategy to achieve users’ anonymity and unlinkability and use PUF to protect information stored in users’ devices and sensor nodes. In addition, higher security features such as three-factor secrecy, perfect forward secrecy, resistance to sensor node-captured attacks, and update asynchronous attacks are guaranteed. The proposed protocol is proven to be secure under the random oracle model and maintains lightweight computing efficiency.