{ "report_id": "OPP-20260426-182730", "generated_at": "2026-04-26T18:27:30.228621+00:00", "tenant": "TITAN AI Live Proof - 2026-04-26", "pack": "ORACLE Portal + Vendor Risk", "pack_version": "1.0.0", "summary": { "total_findings": 20, "by_severity": { "critical": 18, "high": 2, "medium": 0, "low": 0 }, "by_detector": { "portal_tracker": 6, "phi_in_url": 2, "insider_email_exfil": 2, "file_transfer_cve": 7, "vendor_breach_intel": 2, "vendor_missing_baa": 1 }, "by_priority": { "P1": 15, "P2": 4, "P3": 1 }, "hipaa_controls_exercised": { "164.502": 10, "164.504": 4, "164.508": 4, "164.514": 2, "164.308(a)(4)": 2, "164.312(b)": 2, "164.530(c)": 2, "164.308(a)(1)": 7, "164.308(a)(5)": 7, "164.312(e)": 7, "164.308(b)": 3, "164.314(a)": 2, "164.502(e)": 3 } }, "threat_feed": { "ransomware_groups_tracked": 15, "breached_vendors_tracked": 5, "file_transfer_cves_tracked": 9, "tracker_signatures_tracked": 15, "phi_query_params_tracked": 21, "personal_email_domains_tracked": 14, "top_critical_cves": [ { "id": "CVE-2023-40044", "cvss": 10.0, "product": "Progress WS_FTP Server" }, { "id": "CVE-2023-34362", "cvss": 9.8, "product": "Progress MOVEit Transfer" }, { "id": "CVE-2024-50623", "cvss": 9.8, "product": "Cleo VLTrader / Harmony / LexiCom" }, { "id": "CVE-2024-55956", "cvss": 9.8, "product": "Cleo VLTrader / Harmony / LexiCom" }, { "id": "CVE-2024-0204", "cvss": 9.8, "product": "Fortra GoAnywhere MFT" }, { "id": "CVE-2021-27101", "cvss": 9.8, "product": "Accellion FTA (legacy)" } ] }, "learning": { "rounds": 7, "first_scan_at": "2026-04-24T20:55:58.756179+00:00", "last_scan_at": "2026-04-26T18:27:30.219207+00:00", "total_hits_all_time": 140, "total_feedback": 0, "true_positives": 0, "false_positives": 0, "suppressions": 0, "per_detector": [ { "detector": "file_transfer_cve", "hits": 49, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-26T18:27:30.219387+00:00" }, { "detector": "portal_tracker", "hits": 42, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-26T18:27:30.219289+00:00" }, { "detector": "phi_in_url", "hits": 14, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-26T18:27:30.219307+00:00" }, { "detector": "insider_email_exfil", "hits": 14, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-26T18:27:30.219325+00:00" }, { "detector": "vendor_breach_intel", "hits": 14, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-26T18:27:30.219405+00:00" }, { "detector": "vendor_missing_baa", "hits": 7, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-26T18:27:30.219415+00:00" } ] }, "package_recommendation": { "package": "ENTERPRISE", "price": "$300K / year (floor, scales with user count and records)", "rationale": "Findings span all five Blue-class leak patterns with double digit criticals. Enterprise tier includes unlimited users, all five detectors fully enabled, daily threat-feed updates, 24x7 on-call, quarterly red-team of the portal, and an SLA-backed breach response retainer.", "roi": "Anchored against the $16M OCR Anthem fine and $115M Anthem class action, a single prevented incident returns 50x to 400x the subscription cost." }, "targets_scanned": { "portal_pages": [ "https://portal.regional-health.example/login", "https://portal.regional-health.example/account", "https://www.regional-health.example/plans" ], "portal_urls": [ "https://portal.regional-health.example/claim?mrn=MRN-884412&dob=04/17/1974", "https://portal.regional-health.example/auth?member_id=SUB-221199&ssn=123-45-6789", "https://portal.regional-health.example/help" ], "email_events": [ { "from": "k.santos@regional-health.example", "to": [ "k.santos@gmail.com" ], "subject": "member roster backup" }, { "from": "r.kim@regional-health.example", "to": [ "r.kim.personal@yahoo.com" ], "subject": "claims overflow" }, { "from": "p.jones@regional-health.example", "to": [ "broker@acme-broker.example" ], "subject": "renewal pricing" }, { "from": "staff@regional-health.example", "to": [ "staff@regional-health.example" ], "subject": "meeting notes" } ], "file_transfer_appliances": [ { "product_key": "moveit_transfer", "host": "mft01.regional-health.example", "version": "2022.0.2" }, { "product_key": "cleo_vltrader", "host": "edi.regional-health.example", "version": "5.8.0.17" }, { "product_key": "goanywhere_mft", "host": "ga.regional-health.example", "version": "7.1.1" } ], "vendors": [ { "name": "Conduent Business Services", "services": [ "print", "mail", "PHI" ], "baa_on_file": true }, { "name": "Young Consulting / Connexure", "services": [ "stop loss software" ], "baa_on_file": true }, { "name": "New Analytics Startup", "services": [ "claims", "PHI" ], "baa_on_file": false }, { "name": "Regional Courier Service", "services": [ "print", "mail", "PHI" ], "baa_on_file": true } ] }, "priority_summary": { "P1": { "count": 15, "fids": [ "3e0451a902399e93", "4454be9075f7b2bd", "224f695a69cfb1d7", "fb75969f1dd05faa", "8e1324f03cb566af", "73295ed85da83294", "5811d80cbb52cb50", "dfab2d36879a2546", "f6bfaaedcfe1054b", "4f444e7b8001388b", "d71661f12300db8a", "9bf360d936c152fa", "d46df391ec693b0b", "e67e261b63ee660c", "aa232b7e5f82813a" ], "sla": "Fix in 24 hours" }, "P2": { "count": 4, "fids": [ "100a8edb801b3bf5", "204a4af4a53eae60", "18ca2ea4b6edd206", "e7fd012c788cc09a" ], "sla": "Fix in 72 hours" }, "P3": { "count": 1, "fids": [ "066b59644bf8958e" ], "sla": "Fix in next sprint" } }, "findings": [ { "fid": "f6bfaaedcfe1054b", "detector": "file_transfer_cve", "title": "Progress MOVEit Transfer exposed to CVE-2023-34362", "severity": "critical", "product": "Progress MOVEit Transfer", "vendor": "Progress Software", "host": "mft01.regional-health.example", "installed_version": "2022.0.2", "cve": "CVE-2023-34362", "cvss": 9.8, "affected_before": "2022.1.5 / 2022.0.4 / 2021.1.4 / 2021.0.6", "description": "SQL injection leading to RCE actively exploited by Clop ransomware group, source of the Blue Shield CA May 2023 breach", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-26T18:27:30.218487+00:00", "priority": { "score": 100, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": true, "business_critical": true } }, "playbook": { "title": "Patch managed-file-transfer appliance CVE", "estimated_effort": "24 hours (P1 emergency)", "owner": "Security + Infrastructure", "steps": [ "Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.", "Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.", "Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.", "Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.", "If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel." ], "evidence_artifact": "Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable.", "regulatory_citation": "CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404." } }, { "fid": "4f444e7b8001388b", "detector": "file_transfer_cve", "title": "Progress MOVEit Transfer exposed to CVE-2023-35036", "severity": "critical", "product": "Progress MOVEit Transfer", "vendor": "Progress Software", "host": "mft01.regional-health.example", "installed_version": "2022.0.2", "cve": "CVE-2023-35036", "cvss": 9.1, "affected_before": null, "description": "Additional SQLi in MOVEit Transfer", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-26T18:27:30.218527+00:00", "priority": { "score": 100, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": true, "business_critical": true } }, "playbook": { "title": "Patch managed-file-transfer appliance CVE", "estimated_effort": "24 hours (P1 emergency)", "owner": "Security + Infrastructure", "steps": [ "Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.", "Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.", "Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.", "Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.", "If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel." ], "evidence_artifact": "Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable.", "regulatory_citation": "CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404." } }, { "fid": "d71661f12300db8a", "detector": "file_transfer_cve", "title": "Progress MOVEit Transfer exposed to CVE-2023-36934", "severity": "critical", "product": "Progress MOVEit Transfer", "vendor": "Progress Software", "host": "mft01.regional-health.example", "installed_version": "2022.0.2", "cve": "CVE-2023-36934", "cvss": 9.1, "affected_before": null, "description": "Third SQLi vector patched July 2023", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-26T18:27:30.218553+00:00", "priority": { "score": 100, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": true, "business_critical": true } }, "playbook": { "title": "Patch managed-file-transfer appliance CVE", "estimated_effort": "24 hours (P1 emergency)", "owner": "Security + Infrastructure", "steps": [ "Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.", "Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.", "Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.", "Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.", "If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel." ], "evidence_artifact": "Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable.", "regulatory_citation": "CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404." } }, { "fid": "9bf360d936c152fa", "detector": "file_transfer_cve", "title": "Cleo VLTrader / Harmony / LexiCom exposed to CVE-2024-50623", "severity": "critical", "product": "Cleo VLTrader / Harmony / LexiCom", "vendor": "Cleo Communications", "host": "edi.regional-health.example", "installed_version": "5.8.0.17", "cve": "CVE-2024-50623", "cvss": 9.8, "affected_before": "5.8.0.21", "description": "Unrestricted file upload leading to RCE, source of the BCBS Massachusetts Cierant breach December 2024", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-26T18:27:30.218590+00:00", "priority": { "score": 100, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": true, "business_critical": true } }, "playbook": { "title": "Patch managed-file-transfer appliance CVE", "estimated_effort": "24 hours (P1 emergency)", "owner": "Security + Infrastructure", "steps": [ "Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.", "Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.", "Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.", "Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.", "If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel." ], "evidence_artifact": "Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable.", "regulatory_citation": "CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404." } }, { "fid": "d46df391ec693b0b", "detector": "file_transfer_cve", "title": "Cleo VLTrader / Harmony / LexiCom exposed to CVE-2024-55956", "severity": "critical", "product": "Cleo VLTrader / Harmony / LexiCom", "vendor": "Cleo Communications", "host": "edi.regional-health.example", "installed_version": "5.8.0.17", "cve": "CVE-2024-55956", "cvss": 9.8, "affected_before": "5.8.0.24", "description": "Patch-bypass of CVE-2024-50623, actively exploited", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-26T18:27:30.218614+00:00", "priority": { "score": 100, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": true, "business_critical": true } }, "playbook": { "title": "Patch managed-file-transfer appliance CVE", "estimated_effort": "24 hours (P1 emergency)", "owner": "Security + Infrastructure", "steps": [ "Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.", "Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.", "Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.", "Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.", "If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel." ], "evidence_artifact": "Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable.", "regulatory_citation": "CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404." } }, { "fid": "aa232b7e5f82813a", "detector": "file_transfer_cve", "title": "Fortra GoAnywhere MFT exposed to CVE-2024-0204", "severity": "critical", "product": "Fortra GoAnywhere MFT", "vendor": "Fortra", "host": "ga.regional-health.example", "installed_version": "7.1.1", "cve": "CVE-2024-0204", "cvss": 9.8, "affected_before": null, "description": "Authentication bypass to admin", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-26T18:27:30.218663+00:00", "priority": { "score": 100, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": true, "business_critical": true } }, "playbook": { "title": "Patch managed-file-transfer appliance CVE", "estimated_effort": "24 hours (P1 emergency)", "owner": "Security + Infrastructure", "steps": [ "Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.", "Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.", "Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.", "Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.", "If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel." ], "evidence_artifact": "Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable.", "regulatory_citation": "CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404." } }, { "fid": "5811d80cbb52cb50", "detector": "phi_in_url", "title": "PHI identifier exposed in URL", "severity": "critical", "url": "https://portal.regional-health.example/claim?mrn=MRN-884412&dob=04/17/1974", "matched_param_names": [ "mrn", "dob" ], "phi_in_path": [], "phi_in_query_values": [ "mrn", "dob" ], "hipaa_citations": [ "164.502", "164.514" ], "policy": "ORACLE-PORTAL-URL-PHI-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs, referrer headers, and analytics pipelines.", "detected_at": "2026-04-26T18:27:30.217608+00:00", "priority": { "score": 75, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Stop PHI from appearing in URL query strings", "estimated_effort": "2-4 weeks (web app change + log scrub)", "owner": "Application Engineering + DevOps", "steps": [ "Pull every URL flagged by ORACLE with PHI patterns (SSN/MRN/DOB/NPI/ICD-10/credit card).", "Refactor web/mobile app: switch sensitive params from GET (URL) to POST (body). Critical for any redirect chain that touches CDN/web logs.", "Implement URL sanitization at the gateway layer: Cloudflare Logpush field-exclusion, NGINX log_format with masking, or AWS CloudFront field-level encryption.", "Purge web logs that contain historical PHI URLs (HIPAA breach if logged + retained beyond minimum-necessary).", "Add a CI lint rule blocking new code that places PHI patterns into query strings. Train developers." ], "evidence_artifact": "Before/after URL pattern samples + log scrub completion ticket.", "regulatory_citation": "HIPAA 164.312(e)(1) Transmission Security; OCR breach reporting threshold 500 records." } }, { "fid": "dfab2d36879a2546", "detector": "phi_in_url", "title": "PHI identifier exposed in URL", "severity": "critical", "url": "https://portal.regional-health.example/auth?member_id=SUB-221199&ssn=123-45-6789", "matched_param_names": [ "member_id", "ssn" ], "phi_in_path": [], "phi_in_query_values": [ "ssn" ], "hipaa_citations": [ "164.502", "164.514" ], "policy": "ORACLE-PORTAL-URL-PHI-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs, referrer headers, and analytics pipelines.", "detected_at": "2026-04-26T18:27:30.217772+00:00", "priority": { "score": 75, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Stop PHI from appearing in URL query strings", "estimated_effort": "2-4 weeks (web app change + log scrub)", "owner": "Application Engineering + DevOps", "steps": [ "Pull every URL flagged by ORACLE with PHI patterns (SSN/MRN/DOB/NPI/ICD-10/credit card).", "Refactor web/mobile app: switch sensitive params from GET (URL) to POST (body). Critical for any redirect chain that touches CDN/web logs.", "Implement URL sanitization at the gateway layer: Cloudflare Logpush field-exclusion, NGINX log_format with masking, or AWS CloudFront field-level encryption.", "Purge web logs that contain historical PHI URLs (HIPAA breach if logged + retained beyond minimum-necessary).", "Add a CI lint rule blocking new code that places PHI patterns into query strings. Train developers." ], "evidence_artifact": "Before/after URL pattern samples + log scrub completion ticket.", "regulatory_citation": "HIPAA 164.312(e)(1) Transmission Security; OCR breach reporting threshold 500 records." } }, { "fid": "3e0451a902399e93", "detector": "portal_tracker", "title": "Tracker google_analytics present on analytics surface", "tracker_id": "google_analytics", "category": "analytics", "severity": "critical", "phi_page_context": true, "match_token": "googletagmanager.com", "hipaa_citations": [ "164.502", "164.504", "164.508" ], "url": "https://portal.regional-health.example/login", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-26T18:27:30.216595+00:00", "priority": { "score": 75, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Remove third-party trackers from PHI pages", "estimated_effort": "1-2 weeks", "owner": "Web/Marketing + Privacy", "steps": [ "Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.", "Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.", "If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).", "Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.", "Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT." ], "evidence_artifact": "Pre/post page-source diff + CSP header screenshot.", "regulatory_citation": "OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024." } }, { "fid": "4454be9075f7b2bd", "detector": "portal_tracker", "title": "Tracker meta_pixel present on advertising surface", "tracker_id": "meta_pixel", "category": "advertising", "severity": "critical", "phi_page_context": true, "match_token": "connect.facebook.net", "hipaa_citations": [ "164.502", "164.508" ], "url": "https://portal.regional-health.example/login", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-26T18:27:30.216702+00:00", "priority": { "score": 75, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Remove third-party trackers from PHI pages", "estimated_effort": "1-2 weeks", "owner": "Web/Marketing + Privacy", "steps": [ "Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.", "Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.", "If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).", "Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.", "Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT." ], "evidence_artifact": "Pre/post page-source diff + CSP header screenshot.", "regulatory_citation": "OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024." } }, { "fid": "224f695a69cfb1d7", "detector": "portal_tracker", "title": "Tracker hotjar present on session_replay surface", "tracker_id": "hotjar", "category": "session_replay", "severity": "critical", "phi_page_context": true, "match_token": "static.hotjar.com", "hipaa_citations": [ "164.502", "164.504" ], "url": "https://portal.regional-health.example/login", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-26T18:27:30.216791+00:00", "priority": { "score": 75, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Remove third-party trackers from PHI pages", "estimated_effort": "1-2 weeks", "owner": "Web/Marketing + Privacy", "steps": [ "Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.", "Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.", "If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).", "Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.", "Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT." ], "evidence_artifact": "Pre/post page-source diff + CSP header screenshot.", "regulatory_citation": "OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024." } }, { "fid": "fb75969f1dd05faa", "detector": "portal_tracker", "title": "Tracker google_analytics present on analytics surface", "tracker_id": "google_analytics", "category": "analytics", "severity": "critical", "phi_page_context": true, "match_token": "googletagmanager.com", "hipaa_citations": [ "164.502", "164.504", "164.508" ], "url": "https://portal.regional-health.example/account", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-26T18:27:30.216933+00:00", "priority": { "score": 75, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Remove third-party trackers from PHI pages", "estimated_effort": "1-2 weeks", "owner": "Web/Marketing + Privacy", "steps": [ "Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.", "Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.", "If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).", "Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.", "Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT." ], "evidence_artifact": "Pre/post page-source diff + CSP header screenshot.", "regulatory_citation": "OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024." } }, { "fid": "8e1324f03cb566af", "detector": "portal_tracker", "title": "Tracker meta_pixel present on advertising surface", "tracker_id": "meta_pixel", "category": "advertising", "severity": "critical", "phi_page_context": true, "match_token": "connect.facebook.net", "hipaa_citations": [ "164.502", "164.508" ], "url": "https://portal.regional-health.example/account", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-26T18:27:30.217055+00:00", "priority": { "score": 75, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Remove third-party trackers from PHI pages", "estimated_effort": "1-2 weeks", "owner": "Web/Marketing + Privacy", "steps": [ "Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.", "Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.", "If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).", "Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.", "Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT." ], "evidence_artifact": "Pre/post page-source diff + CSP header screenshot.", "regulatory_citation": "OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024." } }, { "fid": "73295ed85da83294", "detector": "portal_tracker", "title": "Tracker hotjar present on session_replay surface", "tracker_id": "hotjar", "category": "session_replay", "severity": "critical", "phi_page_context": true, "match_token": "static.hotjar.com", "hipaa_citations": [ "164.502", "164.504" ], "url": "https://portal.regional-health.example/account", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-26T18:27:30.217132+00:00", "priority": { "score": 75, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Remove third-party trackers from PHI pages", "estimated_effort": "1-2 weeks", "owner": "Web/Marketing + Privacy", "steps": [ "Identify every page returning PHI (member portal, claims, EOBs, secure messaging) and list the trackers loading on each.", "Remove all third-party tracking scripts (Google Analytics 4, Meta Pixel, Hotjar, FullStory, Adobe, LinkedIn, TikTok, Clarity, Mouseflow, CrazyEgg, Pendo, Segment, Amplitude, Mixpanel) from those pages, working with Marketing/Web team.", "If analytics is required, sign a HIPAA-compliant BAA with the vendor first (note: Google does NOT sign BAA for standard GA4 - use Workspace Healthcare with limited scope).", "Configure a Content-Security-Policy header on PHI pages that blocks unauthorized analytics domains.", "Re-scan weekly with TITAN ORACLE to confirm no regression. Auto-ticket any new tracker via CONDUIT." ], "evidence_artifact": "Pre/post page-source diff + CSP header screenshot.", "regulatory_citation": "OCR HIPAA bulletin Dec 2022 + 4.7M-record Blue-class settlements 2021-2024." } }, { "fid": "e67e261b63ee660c", "detector": "file_transfer_cve", "title": "Fortra GoAnywhere MFT exposed to CVE-2023-0669", "severity": "high", "product": "Fortra GoAnywhere MFT", "vendor": "Fortra", "host": "ga.regional-health.example", "installed_version": "7.1.1", "cve": "CVE-2023-0669", "cvss": 7.2, "affected_before": null, "description": "Pre-auth RCE exploited by Clop for mass data theft", "policy": "ORACLE-FILE-TRANSFER-CVE-HIGH", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-26T18:27:30.218641+00:00", "priority": { "score": 100, "bucket": "P1", "sla": "Fix in 24 hours", "factors": { "internet_facing": true, "phi_exposure": true, "exploit_in_wild": true, "business_critical": true } }, "playbook": { "title": "Patch managed-file-transfer appliance CVE", "estimated_effort": "24 hours (P1 emergency)", "owner": "Security + Infrastructure", "steps": [ "Take the vulnerable appliance OFFLINE immediately. Block ingress at the network firewall while patching.", "Apply the vendor patch. Versions: MOVEit 2024.0+, Cleo 5.8.0.21+, GoAnywhere 7.4.1+, Accellion FTA EOL (replace with Kiteworks), WS_FTP 8.8.4+.", "Audit access logs for the last 90 days against IOCs in the CISA advisory and vendor security bulletin. Look for: unexpected admin sessions, file enumeration, data exfiltration spikes, abnormal user-agent strings.", "Rotate ALL credentials that touched the appliance: service-account passwords, integration API tokens, encryption keys, TLS certs.", "If ANY IOC matched: trigger your breach disclosure workflow (HHS OCR within 60 days for >500 records; state AG per state law). Engage outside counsel." ], "evidence_artifact": "Patch confirmation + log review report + credential rotation ticket. Breach notification if applicable.", "regulatory_citation": "CISA Known Exploited Vulnerabilities; HIPAA Breach Notification Rule 164.404." } }, { "fid": "100a8edb801b3bf5", "detector": "insider_email_exfil", "title": "Outbound email to personal webmail (gmail.com)", "severity": "critical", "from": "k.santos@regional-health.example", "from_domain": "regional-health.example", "to": "k.santos@gmail.com", "to_domain": "gmail.com", "subject": "member roster backup", "attachment_count": 1, "attachment_bytes": 4194304, "attachment_names": [ "member-roster-Q2.xlsx" ], "phi_signatures": [], "risk_factors": [ "has_attachment", "attachment_over_1mb", "bulk_data_file_type", "self_send_to_personal_account" ], "hipaa_citations": [ "164.308(a)(4)", "164.312(b)", "164.502", "164.530(c)" ], "policy": "ORACLE-INSIDER-EXFIL-BLOCK", "itil": { "type": "INC", "category": "Insider Threat" }, "recommendation": "Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway for employees with PHI access.", "detected_at": "2026-04-26T18:27:30.218147+00:00", "priority": { "score": 50, "bucket": "P2", "sla": "Fix in 72 hours", "factors": { "internet_facing": false, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Block PHI exfiltration via personal email", "estimated_effort": "3-5 days (DLP rule + investigation)", "owner": "Security + HR + IT", "steps": [ "Create a Microsoft 365 / Google Workspace DLP rule: outbound email to personal-domain receivers (gmail.com, yahoo.com, outlook.com, hotmail.com, icloud.com, aol.com, etc.) containing PHI patterns or bulk attachments (CSV/XLS/ZIP) is blocked + quarantined for 7 days.", "Notify the user via auto-reply: 'Message contained PHI and was held. Contact privacy@yourco for review.'", "Audit the flagged user account for the last 90 days: similar attempts, after-hours access, large downloads.", "If a pattern of intentional exfiltration is detected, escalate to HR + legal under your AUP. Most incidents are accidental and resolved with training.", "Update Acceptable Use Policy to clarify PHI may not leave corporate email, ever. Get every employee acknowledgment." ], "evidence_artifact": "DLP rule export + quarantine log + completed user-investigation ticket.", "regulatory_citation": "HIPAA 164.308(a)(3)(ii)(B) Workforce Sanctions; HIPAA 164.312(b) Audit Controls." } }, { "fid": "204a4af4a53eae60", "detector": "insider_email_exfil", "title": "Outbound email to personal webmail (yahoo.com)", "severity": "critical", "from": "r.kim@regional-health.example", "from_domain": "regional-health.example", "to": "r.kim.personal@yahoo.com", "to_domain": "yahoo.com", "subject": "claims overflow", "attachment_count": 1, "attachment_bytes": 812000, "attachment_names": [ "claims-export.csv" ], "phi_signatures": [ "ssn", "mrn", "dob" ], "risk_factors": [ "has_attachment", "bulk_data_file_type", "phi_signatures_present", "self_send_to_personal_account" ], "hipaa_citations": [ "164.308(a)(4)", "164.312(b)", "164.502", "164.530(c)" ], "policy": "ORACLE-INSIDER-EXFIL-BLOCK", "itil": { "type": "INC", "category": "Insider Threat" }, "recommendation": "Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway for employees with PHI access.", "detected_at": "2026-04-26T18:27:30.218392+00:00", "priority": { "score": 50, "bucket": "P2", "sla": "Fix in 72 hours", "factors": { "internet_facing": false, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Block PHI exfiltration via personal email", "estimated_effort": "3-5 days (DLP rule + investigation)", "owner": "Security + HR + IT", "steps": [ "Create a Microsoft 365 / Google Workspace DLP rule: outbound email to personal-domain receivers (gmail.com, yahoo.com, outlook.com, hotmail.com, icloud.com, aol.com, etc.) containing PHI patterns or bulk attachments (CSV/XLS/ZIP) is blocked + quarantined for 7 days.", "Notify the user via auto-reply: 'Message contained PHI and was held. Contact privacy@yourco for review.'", "Audit the flagged user account for the last 90 days: similar attempts, after-hours access, large downloads.", "If a pattern of intentional exfiltration is detected, escalate to HR + legal under your AUP. Most incidents are accidental and resolved with training.", "Update Acceptable Use Policy to clarify PHI may not leave corporate email, ever. Get every employee acknowledgment." ], "evidence_artifact": "DLP rule export + quarantine log + completed user-investigation ticket.", "regulatory_citation": "HIPAA 164.308(a)(3)(ii)(B) Workforce Sanctions; HIPAA 164.312(b) Audit Controls." } }, { "fid": "18ca2ea4b6edd206", "detector": "vendor_breach_intel", "title": "Vendor match against recent breach intel: Conduent Business Services", "severity": "critical", "vendor": "Conduent Business Services", "baa_on_file": true, "services": [ "print", "mail", "PHI" ], "breach_window": "2024-10-21 to 2025-01-13", "ransomware_group": null, "reach_us": 25000000, "citation": [ "Blue Shield of California", "Blue Shield Promise Health Plan", "multiple Blue Cross Blue Shield plans" ], "policy": "ORACLE-VENDOR-BREACH-INTEL-MATCH", "itil": { "type": "INC", "category": "Vendor / Third Party" }, "hipaa_citations": [ "164.308(b)", "164.314(a)", "164.502(e)" ], "recommendation": "Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notifications if PHI transited the vendor in the breach window.", "detected_at": "2026-04-26T18:27:30.218699+00:00", "priority": { "score": 50, "bucket": "P2", "sla": "Fix in 72 hours", "factors": { "internet_facing": false, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Re-evaluate vendor in active OCR breach list", "estimated_effort": "1-2 weeks (BAA review + attestation)", "owner": "Privacy + Procurement + Security", "steps": [ "Confirm whether the breached vendor is in your supply chain. Cross-reference against your BAA inventory.", "Request the vendor's incident report + a fresh attestation describing remediation and monitoring controls put in place.", "Review the existing BAA: ensure the breach-notification clause meets HIPAA timing requirements and your contract right-to-audit terms allow validation.", "Tighten the data-share contract: minimum-necessary access, encryption-at-rest required, key separation, no offshore processing without explicit consent.", "Add the vendor to your annual security review calendar. Don't wait for the next incident." ], "evidence_artifact": "BAA amendment + vendor attestation + updated vendor risk score.", "regulatory_citation": "HIPAA 164.502(e) Business Associate Contracts; OCR enforcement actions on vendor PHI exposures." } }, { "fid": "e7fd012c788cc09a", "detector": "vendor_breach_intel", "title": "Vendor match against recent breach intel: Young Consulting / Connexure", "severity": "critical", "vendor": "Young Consulting / Connexure", "baa_on_file": true, "services": [ "stop loss software" ], "breach_window": "2024-04-10 to 2024-04-13", "ransomware_group": "BlackSuit", "reach_us": 954177, "citation": [ "Blue Shield of California" ], "policy": "ORACLE-VENDOR-BREACH-INTEL-MATCH", "itil": { "type": "INC", "category": "Vendor / Third Party" }, "hipaa_citations": [ "164.308(b)", "164.314(a)", "164.502(e)" ], "recommendation": "Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notifications if PHI transited the vendor in the breach window.", "detected_at": "2026-04-26T18:27:30.218731+00:00", "priority": { "score": 50, "bucket": "P2", "sla": "Fix in 72 hours", "factors": { "internet_facing": false, "phi_exposure": true, "exploit_in_wild": false, "business_critical": true } }, "playbook": { "title": "Re-evaluate vendor in active OCR breach list", "estimated_effort": "1-2 weeks (BAA review + attestation)", "owner": "Privacy + Procurement + Security", "steps": [ "Confirm whether the breached vendor is in your supply chain. Cross-reference against your BAA inventory.", "Request the vendor's incident report + a fresh attestation describing remediation and monitoring controls put in place.", "Review the existing BAA: ensure the breach-notification clause meets HIPAA timing requirements and your contract right-to-audit terms allow validation.", "Tighten the data-share contract: minimum-necessary access, encryption-at-rest required, key separation, no offshore processing without explicit consent.", "Add the vendor to your annual security review calendar. Don't wait for the next incident." ], "evidence_artifact": "BAA amendment + vendor attestation + updated vendor risk score.", "regulatory_citation": "HIPAA 164.502(e) Business Associate Contracts; OCR enforcement actions on vendor PHI exposures." } }, { "fid": "066b59644bf8958e", "detector": "vendor_missing_baa", "title": "Vendor missing BAA: New Analytics Startup", "severity": "high", "vendor": "New Analytics Startup", "services": [ "claims", "PHI" ], "policy": "ORACLE-VENDOR-MISSING-BAA", "itil": { "type": "CHG", "category": "Vendor / Third Party" }, "hipaa_citations": [ "164.308(b)", "164.502(e)" ], "recommendation": "Execute a Business Associate Agreement before any further PHI exchange. If the vendor refuses, stop the data flow within 30 days.", "detected_at": "2026-04-26T18:27:30.218762+00:00", "priority": { "score": 25, "bucket": "P3", "sla": "Fix in next sprint (2 weeks)", "factors": { "internet_facing": false, "phi_exposure": false, "exploit_in_wild": false, "business_critical": true } } } ], "bsca_pattern_coverage": { "web_tracker_phi_leak": "PortalTrackerScanner", "phi_in_url": "PhiInUrlScanner", "insider_email_exfiltration": "InsiderEmailExfilScanner", "file_transfer_cve_exposure": "FileTransferRiskScanner", "third_party_vendor_breach": "VendorBreachMonitor" } }