diff --git a/docker/pii.Dockerfile b/docker/pii.Dockerfile
index 1045a762e6..96153208f5 100644
--- a/docker/pii.Dockerfile
+++ b/docker/pii.Dockerfile
@@ -38,11 +38,13 @@ RUN groupadd -g 1001 pii && \
     chown -R pii:pii /app
 USER pii
 
-EXPOSE 3000
+# Listen on 5001. In the ECS task all containers share one network namespace
+# (awsvpc) and the app owns 3000, so this sidecar must not use 3000.
+EXPOSE 5001
 
 # start-period is generous: five large spaCy models load at import before
 # /health responds. Tune against measured cold-start once built.
 HEALTHCHECK --interval=30s --timeout=5s --start-period=180s --retries=3 \
-    CMD curl -fsS http://localhost:3000/health || exit 1
+    CMD curl -fsS http://localhost:5001/health || exit 1
 
-CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "3000"]
+CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "5001"]