ORACLE PORTAL + VENDOR RISK EVIDENCE PACK
TITAN ORACLE · OPP-20260426-182730 · 2026-04-26T18:27:30.228621+00:00
Customer: TITAN AI Live Proof - 2026-04-26 · Pack ORACLE Portal + Vendor Risk v1.0.0
WHAT THIS PACK DOES IN 30 SECONDS
Stop the five leak patterns that cost Blue-class plans hundreds of millions
This pack retunes ORACLE to close the exact gaps that drove the biggest HIPAA settlements on record. It scans every customer portal page for Google Analytics, Meta Pixel, Hotjar, FullStory and 11 other trackers that leak PHI to ad networks. It watches every outbound email for insider exfiltration of SSNs, MRNs, and bulk spreadsheets to personal Gmail or Yahoo. It fingerprints MOVEit, Cleo, GoAnywhere and other file-transfer appliances against live CVE intel so you patch before the next Clop or BlackSuit raid. It cross-checks your vendor list against the real-time list of breached third parties (Conduent, Young Consulting, Cierant, NASCO, Change Healthcare). And it learns your environment round over round, so false positives fall and confidence climbs every week.
PORTAL TRACKER SCAN
PHI IN URL
INSIDER EMAIL EXFIL
FILE-TRANSFER CVE
VENDOR BREACH INTEL
SELF-LEARNING
How priority is computed (multi-factor risk score)
Each finding is scored 0-100 from four factors —
Internet-facing ·
PHI exposure ·
Exploit-in-wild (CISA KEV) ·
Business criticality.
Each factor adds 25 points. P1 (24h) = score 75+. P2 (72h) = 50-74. P3 (next sprint) = under 50.
Every finding ships with a step-by-step remediation playbook (owner, effort, evidence to collect) so security teams can execute, not just react.
Detector Hits
| file_transfer_cve | 7 |
| portal_tracker | 6 |
| phi_in_url | 2 |
| insider_email_exfil | 2 |
| vendor_breach_intel | 2 |
| vendor_missing_baa | 1 |
Blue-class Leak Pattern Coverage
1. Web tracker PHI leak — Google Analytics / Google Ads / Meta Pixel / Hotjar / FullStory / Adobe / LinkedIn / TikTok / Clarity / Mouseflow / CrazyEgg / Pendo / Segment / Amplitude / Mixpanel — mirrors the 4.7M Blue-class 2021-2024 leak pattern.
2. PHI in URL — MRN, SSN, DOB, member_id, patient_id, NPI, ICD-10 — prevents analytics pipelines and referrer leaks.
3. Insider email exfiltration — outbound to personal webmail with PHI signatures or bulk data attachments, including self-send pattern — mirrors the 2022 insider incident.
4. File transfer CVE exposure — MOVEit / Cleo / GoAnywhere / Accellion / WS_FTP with current CVEs — mirrors the 2023 MOVEit and 2024 Cleo incidents.
5. Third-party vendor breach — vendor inventory cross-checked against known recent breach intel (Conduent, Young Consulting, Cierant, NASCO, Change Healthcare) — mirrors the 2024 software-vendor ransomware and 2024-25 back-office vendor incidents.
HIPAA Controls Evidenced
| 164.502 | 10 |
| 164.308(a)(1) | 7 |
| 164.308(a)(5) | 7 |
| 164.312(e) | 7 |
| 164.504 | 4 |
| 164.508 | 4 |
| 164.308(b) | 3 |
| 164.502(e) | 3 |
| 164.514 | 2 |
| 164.308(a)(4) | 2 |
| 164.312(b) | 2 |
| 164.530(c) | 2 |
| 164.314(a) | 2 |
Self-Learning (ORACLE improves every round)
| SCAN ROUNDS | 7 |
|---|
| FIRST SCAN | 2026-04-24T20:55:58.756179+00:00 |
|---|
| LAST SCAN | 2026-04-26T18:27:30.219207+00:00 |
|---|
| ANALYST FEEDBACK | 0 |
|---|
| TRUE POSITIVES | 0 |
|---|
| FALSE POSITIVES | 0 |
|---|
| ANALYST SUPPRESSIONS | 0 |
|---|
| DETECTOR | HITS | TP | FP | CONFIDENCE |
|---|
| file_transfer_cve | 49 | 0 | 0 | 0.85 |
| portal_tracker | 42 | 0 | 0 | 0.85 |
| phi_in_url | 14 | 0 | 0 | 0.85 |
| insider_email_exfil | 14 | 0 | 0 | 0.85 |
| vendor_breach_intel | 14 | 0 | 0 | 0.85 |
| vendor_missing_baa | 7 | 0 | 0 | 0.85 |
Each analyst verdict raises detector confidence. Suppressed findings are remembered across runs. State persists on disk as oracle_portal_learning.json.
Threat Intelligence Feed
| TRACKER SIGNATURES | 15 |
|---|
| FILE-TRANSFER CVES TRACKED | 9 |
|---|
| BREACHED VENDORS TRACKED | 5 |
|---|
| ACTIVE RANSOMWARE GROUPS | 15 |
|---|
| PHI QUERY PARAMS | 21 |
|---|
| PERSONAL WEBMAIL DOMAINS | 14 |
|---|
Feed updates daily. CVE cross-check runs on every scan. Vendor intel expands as new breaches are disclosed.
RECOMMENDED PACKAGE
ENTERPRISE
$300K / year (floor, scales with user count and records)
Findings span all five Blue-class leak patterns with double digit criticals. Enterprise tier includes unlimited users, all five detectors fully enabled, daily threat-feed updates, 24x7 on-call, quarterly red-team of the portal, and an SLA-backed breach response retainer.
ROI benchmark — Anchored against the $16M OCR Anthem fine and $115M Anthem class action, a single prevented incident returns 50x to 400x the subscription cost.
All Findings (20)
P1 · Fix in 24 hours
CRITICAL
file_transfer_cve
DETAILS ▼
Progress MOVEit Transfer exposed to CVE-2023-34362
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 100/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Exploit In Wild+ Business Critical |
|---|
FINDING FACTS
| PRODUCT | Progress MOVEit Transfer |
|---|
| VENDOR | Progress Software |
|---|
| HOST | mft01.regional-health.example |
|---|
| INSTALLED VERSION | 2022.0.2 |
|---|
| CVE | CVE-2023-34362 |
|---|
| CVSS | 9.8 |
|---|
| AFFECTED BEFORE | 2022.1.5 / 2022.0.4 / 2021.1.4 / 2021.0.6 |
|---|
| DESCRIPTION | SQL injection leading to RCE actively exploited by Clop ransomware group, source of the Blue Shield CA May 2023 breach |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218487+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-F6BFAAEDCFE1054B |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
REMEDIATION PLAYBOOK — Patch managed-file-transfer appliance CVE
| OWNER | Security + Infrastructure |
|---|
| ESTIMATED EFFORT | 24 hours (P1 emergency) |
|---|
| EVIDENCE TO COLLECT | Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable. |
|---|
| REGULATORY CITATION | CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404. |
|---|
- Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.
- Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.
- Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.
- Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.
- If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel.
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
P1 · Fix in 24 hours
CRITICAL
file_transfer_cve
DETAILS ▼
Progress MOVEit Transfer exposed to CVE-2023-35036
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 100/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Exploit In Wild+ Business Critical |
|---|
FINDING FACTS
| PRODUCT | Progress MOVEit Transfer |
|---|
| VENDOR | Progress Software |
|---|
| HOST | mft01.regional-health.example |
|---|
| INSTALLED VERSION | 2022.0.2 |
|---|
| CVE | CVE-2023-35036 |
|---|
| CVSS | 9.1 |
|---|
| AFFECTED BEFORE | None |
|---|
| DESCRIPTION | Additional SQLi in MOVEit Transfer |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218527+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-4F444E7B8001388B |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
REMEDIATION PLAYBOOK — Patch managed-file-transfer appliance CVE
| OWNER | Security + Infrastructure |
|---|
| ESTIMATED EFFORT | 24 hours (P1 emergency) |
|---|
| EVIDENCE TO COLLECT | Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable. |
|---|
| REGULATORY CITATION | CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404. |
|---|
- Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.
- Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.
- Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.
- Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.
- If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel.
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
P1 · Fix in 24 hours
CRITICAL
file_transfer_cve
DETAILS ▼
Progress MOVEit Transfer exposed to CVE-2023-36934
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 100/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Exploit In Wild+ Business Critical |
|---|
FINDING FACTS
| PRODUCT | Progress MOVEit Transfer |
|---|
| VENDOR | Progress Software |
|---|
| HOST | mft01.regional-health.example |
|---|
| INSTALLED VERSION | 2022.0.2 |
|---|
| CVE | CVE-2023-36934 |
|---|
| CVSS | 9.1 |
|---|
| AFFECTED BEFORE | None |
|---|
| DESCRIPTION | Third SQLi vector patched July 2023 |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218553+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-D71661F12300DB8A |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
REMEDIATION PLAYBOOK — Patch managed-file-transfer appliance CVE
| OWNER | Security + Infrastructure |
|---|
| ESTIMATED EFFORT | 24 hours (P1 emergency) |
|---|
| EVIDENCE TO COLLECT | Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable. |
|---|
| REGULATORY CITATION | CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404. |
|---|
- Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.
- Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.
- Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.
- Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.
- If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel.
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
P1 · Fix in 24 hours
CRITICAL
file_transfer_cve
DETAILS ▼
Cleo VLTrader / Harmony / LexiCom exposed to CVE-2024-50623
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 100/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Exploit In Wild+ Business Critical |
|---|
FINDING FACTS
| PRODUCT | Cleo VLTrader / Harmony / LexiCom |
|---|
| VENDOR | Cleo Communications |
|---|
| HOST | edi.regional-health.example |
|---|
| INSTALLED VERSION | 5.8.0.17 |
|---|
| CVE | CVE-2024-50623 |
|---|
| CVSS | 9.8 |
|---|
| AFFECTED BEFORE | 5.8.0.21 |
|---|
| DESCRIPTION | Unrestricted file upload leading to RCE, source of the BCBS Massachusetts Cierant breach December 2024 |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218590+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-9BF360D936C152FA |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
REMEDIATION PLAYBOOK — Patch managed-file-transfer appliance CVE
| OWNER | Security + Infrastructure |
|---|
| ESTIMATED EFFORT | 24 hours (P1 emergency) |
|---|
| EVIDENCE TO COLLECT | Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable. |
|---|
| REGULATORY CITATION | CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404. |
|---|
- Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.
- Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.
- Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.
- Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.
- If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel.
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
P1 · Fix in 24 hours
CRITICAL
file_transfer_cve
DETAILS ▼
Cleo VLTrader / Harmony / LexiCom exposed to CVE-2024-55956
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 100/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Exploit In Wild+ Business Critical |
|---|
FINDING FACTS
| PRODUCT | Cleo VLTrader / Harmony / LexiCom |
|---|
| VENDOR | Cleo Communications |
|---|
| HOST | edi.regional-health.example |
|---|
| INSTALLED VERSION | 5.8.0.17 |
|---|
| CVE | CVE-2024-55956 |
|---|
| CVSS | 9.8 |
|---|
| AFFECTED BEFORE | 5.8.0.24 |
|---|
| DESCRIPTION | Patch-bypass of CVE-2024-50623, actively exploited |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218614+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-D46DF391EC693B0B |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
REMEDIATION PLAYBOOK — Patch managed-file-transfer appliance CVE
| OWNER | Security + Infrastructure |
|---|
| ESTIMATED EFFORT | 24 hours (P1 emergency) |
|---|
| EVIDENCE TO COLLECT | Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable. |
|---|
| REGULATORY CITATION | CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404. |
|---|
- Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.
- Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.
- Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.
- Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.
- If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel.
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
P1 · Fix in 24 hours
CRITICAL
file_transfer_cve
DETAILS ▼
Fortra GoAnywhere MFT exposed to CVE-2024-0204
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 100/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Exploit In Wild+ Business Critical |
|---|
FINDING FACTS
| PRODUCT | Fortra GoAnywhere MFT |
|---|
| VENDOR | Fortra |
|---|
| HOST | ga.regional-health.example |
|---|
| INSTALLED VERSION | 7.1.1 |
|---|
| CVE | CVE-2024-0204 |
|---|
| CVSS | 9.8 |
|---|
| AFFECTED BEFORE | None |
|---|
| DESCRIPTION | Authentication bypass to admin |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218663+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-AA232B7E5F82813A |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
REMEDIATION PLAYBOOK — Patch managed-file-transfer appliance CVE
| OWNER | Security + Infrastructure |
|---|
| ESTIMATED EFFORT | 24 hours (P1 emergency) |
|---|
| EVIDENCE TO COLLECT | Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable. |
|---|
| REGULATORY CITATION | CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404. |
|---|
- Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.
- Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.
- Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.
- Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.
- If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel.
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
P1 · Fix in 24 hours
CRITICAL
phi_in_url
DETAILS ▼
PHI identifier exposed in URL
Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs,...
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 75/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| URL | https://portal.regional-health.example/claim?mrn=MRN-884412&dob=04/17/1974 |
|---|
| MATCHED PARAMS | mrn, dob |
|---|
| PHI IN PATH | |
|---|
| PHI IN QUERY | mrn, dob |
|---|
| DETECTED AT | 2026-04-26T18:27:30.217608+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-5811D80CBB52CB50 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-URL-PHI-BLOCK |
|---|
| HIPAA | 164.502, 164.514 |
|---|
REMEDIATION PLAYBOOK — Stop PHI from appearing in URL query strings
| OWNER | Application Engineering + DevOps |
|---|
| ESTIMATED EFFORT | 2-4 weeks (web app change + log scrub) |
|---|
| EVIDENCE TO COLLECT | Before/after URL pattern samples + log scrub completion ticket. |
|---|
| REGULATORY CITATION | HIPAA 164.312(e)(1) Transmission Security; OCR breach reporting threshold 500 records. |
|---|
- Pull every URL flagged by ORACLE with PHI patterns (SSN/MRN/DOB/NPI/ICD-10/credit card).
- Refactor web/mobile app: switch sensitive params from GET (URL) to POST (body). Critical for any redirect chain that touches CDN/web logs.
- Implement URL sanitization at the gateway layer: Cloudflare Logpush field-exclusion, NGINX log_format with masking, or AWS CloudFront field-level encryption.
- Purge web logs that contain historical PHI URLs (HIPAA breach if logged + retained beyond minimum-necessary).
- Add a CI lint rule blocking new code that places PHI patterns into query strings. Train developers.
RECOMMENDED ACTION
Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs, referrer headers, and analytics pipelines.
P1 · Fix in 24 hours
CRITICAL
phi_in_url
DETAILS ▼
PHI identifier exposed in URL
Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs,...
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 75/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| URL | https://portal.regional-health.example/auth?member_id=SUB-221199&ssn=123-45-6789 |
|---|
| MATCHED PARAMS | member_id, ssn |
|---|
| PHI IN PATH | |
|---|
| PHI IN QUERY | ssn |
|---|
| DETECTED AT | 2026-04-26T18:27:30.217772+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-DFAB2D36879A2546 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-URL-PHI-BLOCK |
|---|
| HIPAA | 164.502, 164.514 |
|---|
REMEDIATION PLAYBOOK — Stop PHI from appearing in URL query strings
| OWNER | Application Engineering + DevOps |
|---|
| ESTIMATED EFFORT | 2-4 weeks (web app change + log scrub) |
|---|
| EVIDENCE TO COLLECT | Before/after URL pattern samples + log scrub completion ticket. |
|---|
| REGULATORY CITATION | HIPAA 164.312(e)(1) Transmission Security; OCR breach reporting threshold 500 records. |
|---|
- Pull every URL flagged by ORACLE with PHI patterns (SSN/MRN/DOB/NPI/ICD-10/credit card).
- Refactor web/mobile app: switch sensitive params from GET (URL) to POST (body). Critical for any redirect chain that touches CDN/web logs.
- Implement URL sanitization at the gateway layer: Cloudflare Logpush field-exclusion, NGINX log_format with masking, or AWS CloudFront field-level encryption.
- Purge web logs that contain historical PHI URLs (HIPAA breach if logged + retained beyond minimum-necessary).
- Add a CI lint rule blocking new code that places PHI patterns into query strings. Train developers.
RECOMMENDED ACTION
Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs, referrer headers, and analytics pipelines.
P1 · Fix in 24 hours
CRITICAL
portal_tracker
DETAILS ▼
Tracker google_analytics present on analytics surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 75/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| URL | https://portal.regional-health.example/login |
|---|
| TRACKER | google_analytics |
|---|
| CATEGORY | analytics |
|---|
| MATCH TOKEN | googletagmanager.com |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-26T18:27:30.216595+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-3E0451A902399E93 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.504, 164.508 |
|---|
REMEDIATION PLAYBOOK — Remove third-party trackers from PHI pages
| OWNER | Web/Marketing + Privacy |
|---|
| ESTIMATED EFFORT | 1-2 weeks |
|---|
| EVIDENCE TO COLLECT | Pre/post page-source diff + CSP header screenshot. |
|---|
| REGULATORY CITATION | OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024. |
|---|
- Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.
- Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.
- If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).
- Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.
- Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT.
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
P1 · Fix in 24 hours
CRITICAL
portal_tracker
DETAILS ▼
Tracker meta_pixel present on advertising surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 75/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| URL | https://portal.regional-health.example/login |
|---|
| TRACKER | meta_pixel |
|---|
| CATEGORY | advertising |
|---|
| MATCH TOKEN | connect.facebook.net |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-26T18:27:30.216702+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-4454BE9075F7B2BD |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.508 |
|---|
REMEDIATION PLAYBOOK — Remove third-party trackers from PHI pages
| OWNER | Web/Marketing + Privacy |
|---|
| ESTIMATED EFFORT | 1-2 weeks |
|---|
| EVIDENCE TO COLLECT | Pre/post page-source diff + CSP header screenshot. |
|---|
| REGULATORY CITATION | OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024. |
|---|
- Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.
- Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.
- If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).
- Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.
- Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT.
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
P1 · Fix in 24 hours
CRITICAL
portal_tracker
DETAILS ▼
Tracker hotjar present on session_replay surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 75/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| URL | https://portal.regional-health.example/login |
|---|
| TRACKER | hotjar |
|---|
| CATEGORY | session_replay |
|---|
| MATCH TOKEN | static.hotjar.com |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-26T18:27:30.216791+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-224F695A69CFB1D7 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.504 |
|---|
REMEDIATION PLAYBOOK — Remove third-party trackers from PHI pages
| OWNER | Web/Marketing + Privacy |
|---|
| ESTIMATED EFFORT | 1-2 weeks |
|---|
| EVIDENCE TO COLLECT | Pre/post page-source diff + CSP header screenshot. |
|---|
| REGULATORY CITATION | OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024. |
|---|
- Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.
- Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.
- If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).
- Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.
- Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT.
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
P1 · Fix in 24 hours
CRITICAL
portal_tracker
DETAILS ▼
Tracker google_analytics present on analytics surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 75/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| URL | https://portal.regional-health.example/account |
|---|
| TRACKER | google_analytics |
|---|
| CATEGORY | analytics |
|---|
| MATCH TOKEN | googletagmanager.com |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-26T18:27:30.216933+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-FB75969F1DD05FAA |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.504, 164.508 |
|---|
REMEDIATION PLAYBOOK — Remove third-party trackers from PHI pages
| OWNER | Web/Marketing + Privacy |
|---|
| ESTIMATED EFFORT | 1-2 weeks |
|---|
| EVIDENCE TO COLLECT | Pre/post page-source diff + CSP header screenshot. |
|---|
| REGULATORY CITATION | OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024. |
|---|
- Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.
- Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.
- If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).
- Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.
- Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT.
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
P1 · Fix in 24 hours
CRITICAL
portal_tracker
DETAILS ▼
Tracker meta_pixel present on advertising surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 75/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| URL | https://portal.regional-health.example/account |
|---|
| TRACKER | meta_pixel |
|---|
| CATEGORY | advertising |
|---|
| MATCH TOKEN | connect.facebook.net |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-26T18:27:30.217055+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-8E1324F03CB566AF |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.508 |
|---|
REMEDIATION PLAYBOOK — Remove third-party trackers from PHI pages
| OWNER | Web/Marketing + Privacy |
|---|
| ESTIMATED EFFORT | 1-2 weeks |
|---|
| EVIDENCE TO COLLECT | Pre/post page-source diff + CSP header screenshot. |
|---|
| REGULATORY CITATION | OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024. |
|---|
- Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.
- Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.
- If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).
- Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.
- Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT.
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
P1 · Fix in 24 hours
CRITICAL
portal_tracker
DETAILS ▼
Tracker hotjar present on session_replay surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 75/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| URL | https://portal.regional-health.example/account |
|---|
| TRACKER | hotjar |
|---|
| CATEGORY | session_replay |
|---|
| MATCH TOKEN | static.hotjar.com |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-26T18:27:30.217132+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-73295ED85DA83294 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.504 |
|---|
REMEDIATION PLAYBOOK — Remove third-party trackers from PHI pages
| OWNER | Web/Marketing + Privacy |
|---|
| ESTIMATED EFFORT | 1-2 weeks |
|---|
| EVIDENCE TO COLLECT | Pre/post page-source diff + CSP header screenshot. |
|---|
| REGULATORY CITATION | OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024. |
|---|
- Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.
- Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.
- If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).
- Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.
- Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT.
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
P1 · Fix in 24 hours
HIGH
file_transfer_cve
DETAILS ▼
Fortra GoAnywhere MFT exposed to CVE-2023-0669
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
PRIORITY — P1 · Fix in 24 hours
| RISK SCORE | 100/100 |
|---|
| RISK FACTORS | + Internet Facing+ Phi Exposure+ Exploit In Wild+ Business Critical |
|---|
FINDING FACTS
| PRODUCT | Fortra GoAnywhere MFT |
|---|
| VENDOR | Fortra |
|---|
| HOST | ga.regional-health.example |
|---|
| INSTALLED VERSION | 7.1.1 |
|---|
| CVE | CVE-2023-0669 |
|---|
| CVSS | 7.2 |
|---|
| AFFECTED BEFORE | None |
|---|
| DESCRIPTION | Pre-auth RCE exploited by Clop for mass data theft |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218641+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-E67E261B63EE660C |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-HIGH |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
REMEDIATION PLAYBOOK — Patch managed-file-transfer appliance CVE
| OWNER | Security + Infrastructure |
|---|
| ESTIMATED EFFORT | 24 hours (P1 emergency) |
|---|
| EVIDENCE TO COLLECT | Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable. |
|---|
| REGULATORY CITATION | CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404. |
|---|
- Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.
- Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.
- Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.
- Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.
- If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel.
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
P2 · Fix in 72 hours
CRITICAL
insider_email_exfil
DETAILS ▼
Outbound email to personal webmail (gmail.com)
Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway...
PRIORITY — P2 · Fix in 72 hours
| RISK SCORE | 50/100 |
|---|
| RISK FACTORS | + Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| FROM | [email protected] |
|---|
| TO | [email protected] |
|---|
| TO DOMAIN | gmail.com |
|---|
| SUBJECT | member roster backup |
|---|
| ATTACHMENTS | member-roster-Q2.xlsx |
|---|
| SIZE (BYTES) | 4194304 |
|---|
| PHI SIGNATURES | |
|---|
| RISK FACTORS | has_attachment, attachment_over_1mb, bulk_data_file_type, self_send_to_personal_account |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218147+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-100A8EDB801B3BF5 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Insider Threat |
|---|
| PRIORITY | P2 |
|---|
| POLICY | ORACLE-INSIDER-EXFIL-BLOCK |
|---|
| HIPAA | 164.308(a)(4), 164.312(b), 164.502, 164.530(c) |
|---|
REMEDIATION PLAYBOOK — Block PHI exfiltration via personal email
| OWNER | Security + HR + IT |
|---|
| ESTIMATED EFFORT | 3-5 days (DLP rule + investigation) |
|---|
| EVIDENCE TO COLLECT | DLP rule export + quarantine log + completed user-investigation ticket. |
|---|
| REGULATORY CITATION | HIPAA 164.308(a)(3)(ii)(B) Workforce Sanctions; HIPAA 164.312(b) Audit Controls. |
|---|
- Create a Microsoft 365 / Google Workspace DLP rule: outbound email to personal-domain receivers (gmail.com, yahoo.com, outlook.com, hotmail.com, icloud.com, aol.com, etc.) containing PHI patterns or bulk attachments (CSV/XLS/ZIP) is blocked + quarantined for 7 days.
- Notify the user via auto-reply: 'Message contained PHI and was held. Contact privacy@yourco for review.'
- Audit the flagged user account for the last 90 days: similar attempts, after-hours access, large downloads.
- If a pattern of intentional exfiltration is detected, escalate to HR + legal under your AUP. Most incidents are accidental and resolved with training.
- Update Acceptable Use Policy to clarify PHI may not leave corporate email, ever. Get every employee acknowledgment.
RECOMMENDED ACTION
Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway for employees with PHI access.
P2 · Fix in 72 hours
CRITICAL
insider_email_exfil
DETAILS ▼
Outbound email to personal webmail (yahoo.com)
Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway...
PRIORITY — P2 · Fix in 72 hours
| RISK SCORE | 50/100 |
|---|
| RISK FACTORS | + Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| FROM | [email protected] |
|---|
| TO | [email protected] |
|---|
| TO DOMAIN | yahoo.com |
|---|
| SUBJECT | claims overflow |
|---|
| ATTACHMENTS | claims-export.csv |
|---|
| SIZE (BYTES) | 812000 |
|---|
| PHI SIGNATURES | ssn, mrn, dob |
|---|
| RISK FACTORS | has_attachment, bulk_data_file_type, phi_signatures_present, self_send_to_personal_account |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218392+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-204A4AF4A53EAE60 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Insider Threat |
|---|
| PRIORITY | P2 |
|---|
| POLICY | ORACLE-INSIDER-EXFIL-BLOCK |
|---|
| HIPAA | 164.308(a)(4), 164.312(b), 164.502, 164.530(c) |
|---|
REMEDIATION PLAYBOOK — Block PHI exfiltration via personal email
| OWNER | Security + HR + IT |
|---|
| ESTIMATED EFFORT | 3-5 days (DLP rule + investigation) |
|---|
| EVIDENCE TO COLLECT | DLP rule export + quarantine log + completed user-investigation ticket. |
|---|
| REGULATORY CITATION | HIPAA 164.308(a)(3)(ii)(B) Workforce Sanctions; HIPAA 164.312(b) Audit Controls. |
|---|
- Create a Microsoft 365 / Google Workspace DLP rule: outbound email to personal-domain receivers (gmail.com, yahoo.com, outlook.com, hotmail.com, icloud.com, aol.com, etc.) containing PHI patterns or bulk attachments (CSV/XLS/ZIP) is blocked + quarantined for 7 days.
- Notify the user via auto-reply: 'Message contained PHI and was held. Contact privacy@yourco for review.'
- Audit the flagged user account for the last 90 days: similar attempts, after-hours access, large downloads.
- If a pattern of intentional exfiltration is detected, escalate to HR + legal under your AUP. Most incidents are accidental and resolved with training.
- Update Acceptable Use Policy to clarify PHI may not leave corporate email, ever. Get every employee acknowledgment.
RECOMMENDED ACTION
Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway for employees with PHI access.
P2 · Fix in 72 hours
CRITICAL
vendor_breach_intel
DETAILS ▼
Vendor match against recent breach intel: Conduent Business Services
Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notification...
PRIORITY — P2 · Fix in 72 hours
| RISK SCORE | 50/100 |
|---|
| RISK FACTORS | + Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| VENDOR | Conduent Business Services |
|---|
| BREACH WINDOW | 2024-10-21 to 2025-01-13 |
|---|
| RANSOMWARE GROUP | None |
|---|
| US REACH | 25000000 |
|---|
| BAA ON FILE | True |
|---|
| SERVICES | print, mail, PHI |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218699+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-18CA2EA4B6EDD206 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vendor / Third Party |
|---|
| PRIORITY | P2 |
|---|
| POLICY | ORACLE-VENDOR-BREACH-INTEL-MATCH |
|---|
| HIPAA | 164.308(b), 164.314(a), 164.502(e) |
|---|
REMEDIATION PLAYBOOK — Re-evaluate vendor in active OCR breach list
| OWNER | Privacy + Procurement + Security |
|---|
| ESTIMATED EFFORT | 1-2 weeks (BAA review + attestation) |
|---|
| EVIDENCE TO COLLECT | BAA amendment + vendor attestation + updated vendor risk score. |
|---|
| REGULATORY CITATION | HIPAA 164.502(e) Business Associate Contracts; OCR enforcement actions on vendor PHI exposures. |
|---|
- Confirm whether the breached vendor is in your supply chain. Cross-reference against your BAA inventory.
- Request the vendor's incident report + a fresh attestation describing remediation and monitoring controls put in place.
- Review the existing BAA: ensure the breach-notification clause meets HIPAA timing requirements and your contract right-to-audit terms allow validation.
- Tighten the data-share contract: minimum-necessary access, encryption-at-rest required, key separation, no offshore processing without explicit consent.
- Add the vendor to your annual security review calendar. Don't wait for the next incident.
RECOMMENDED ACTION
Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notifications if PHI transited the vendor in the breach window.
P2 · Fix in 72 hours
CRITICAL
vendor_breach_intel
DETAILS ▼
Vendor match against recent breach intel: Young Consulting / Connexure
Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notification...
PRIORITY — P2 · Fix in 72 hours
| RISK SCORE | 50/100 |
|---|
| RISK FACTORS | + Phi Exposure+ Business Critical |
|---|
FINDING FACTS
| VENDOR | Young Consulting / Connexure |
|---|
| BREACH WINDOW | 2024-04-10 to 2024-04-13 |
|---|
| RANSOMWARE GROUP | BlackSuit |
|---|
| US REACH | 954177 |
|---|
| BAA ON FILE | True |
|---|
| SERVICES | stop loss software |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218731+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-E7FD012C788CC09A |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vendor / Third Party |
|---|
| PRIORITY | P2 |
|---|
| POLICY | ORACLE-VENDOR-BREACH-INTEL-MATCH |
|---|
| HIPAA | 164.308(b), 164.314(a), 164.502(e) |
|---|
REMEDIATION PLAYBOOK — Re-evaluate vendor in active OCR breach list
| OWNER | Privacy + Procurement + Security |
|---|
| ESTIMATED EFFORT | 1-2 weeks (BAA review + attestation) |
|---|
| EVIDENCE TO COLLECT | BAA amendment + vendor attestation + updated vendor risk score. |
|---|
| REGULATORY CITATION | HIPAA 164.502(e) Business Associate Contracts; OCR enforcement actions on vendor PHI exposures. |
|---|
- Confirm whether the breached vendor is in your supply chain. Cross-reference against your BAA inventory.
- Request the vendor's incident report + a fresh attestation describing remediation and monitoring controls put in place.
- Review the existing BAA: ensure the breach-notification clause meets HIPAA timing requirements and your contract right-to-audit terms allow validation.
- Tighten the data-share contract: minimum-necessary access, encryption-at-rest required, key separation, no offshore processing without explicit consent.
- Add the vendor to your annual security review calendar. Don't wait for the next incident.
RECOMMENDED ACTION
Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notifications if PHI transited the vendor in the breach window.
P3 · Fix in next sprint (2 weeks)
HIGH
vendor_missing_baa
DETAILS ▼
Vendor missing BAA: New Analytics Startup
Execute a Business Associate Agreement before any further PHI exchange. If the vendor refuses, stop the data flow within 30 days.
PRIORITY — P3 · Fix in next sprint (2 weeks)
| RISK SCORE | 25/100 |
|---|
| RISK FACTORS | + Business Critical |
|---|
FINDING FACTS
| VENDOR | New Analytics Startup |
|---|
| SERVICES | claims, PHI |
|---|
| DETECTED AT | 2026-04-26T18:27:30.218762+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-066B59644BF8958E |
|---|
| TYPE | CHG |
|---|
| CATEGORY | Vendor / Third Party |
|---|
| PRIORITY | P3 |
|---|
| POLICY | ORACLE-VENDOR-MISSING-BAA |
|---|
| HIPAA | 164.308(b), 164.502(e) |
|---|
RECOMMENDED ACTION
Execute a Business Associate Agreement before any further PHI exchange. If the vendor refuses, stop the data flow within 30 days.
TITAN AI · ORACLE Portal + Vendor Risk Pack · Generated 2026-04-26T18:27:30.228621+00:00