ORACLE PORTAL + VENDOR RISK EVIDENCE PACK
TITAN ORACLE · OPP-20260424-205558 · 2026-04-24T20:55:58.758833+00:00
Customer: Regional Health Plan (Blue-class Demo) · Pack ORACLE Portal + Vendor Risk v1.0.0
WHAT THIS PACK DOES IN 30 SECONDS
Stop the five leak patterns that cost Blue-class plans hundreds of millions
This pack retunes ORACLE to close the exact gaps that drove the biggest HIPAA settlements on record. It scans every customer portal page for Google Analytics, Meta Pixel, Hotjar, FullStory and 11 other trackers that leak PHI to ad networks. It watches every outbound email for insider exfiltration of SSNs, MRNs, and bulk spreadsheets to personal Gmail or Yahoo. It fingerprints MOVEit, Cleo, GoAnywhere and other file-transfer appliances against live CVE intel so you patch before the next Clop or BlackSuit raid. It cross-checks your vendor list against the real-time list of breached third parties (Conduent, Young Consulting, Cierant, NASCO, Change Healthcare). And it learns your environment round over round, so false positives fall and confidence climbs every week.
PORTAL TRACKER SCAN
PHI IN URL
INSIDER EMAIL EXFIL
FILE-TRANSFER CVE
VENDOR BREACH INTEL
SELF-LEARNING
Detector Hits
| file_transfer_cve | 7 |
| portal_tracker | 6 |
| phi_in_url | 2 |
| insider_email_exfil | 2 |
| vendor_breach_intel | 2 |
| vendor_missing_baa | 1 |
Blue-class Leak Pattern Coverage
1. Web tracker PHI leak — Google Analytics / Google Ads / Meta Pixel / Hotjar / FullStory / Adobe / LinkedIn / TikTok / Clarity / Mouseflow / CrazyEgg / Pendo / Segment / Amplitude / Mixpanel — mirrors the 4.7M Blue-class 2021-2024 leak pattern.
2. PHI in URL — MRN, SSN, DOB, member_id, patient_id, NPI, ICD-10 — prevents analytics pipelines and referrer leaks.
3. Insider email exfiltration — outbound to personal webmail with PHI signatures or bulk data attachments, including self-send pattern — mirrors the 2022 insider incident.
4. File transfer CVE exposure — MOVEit / Cleo / GoAnywhere / Accellion / WS_FTP with current CVEs — mirrors the 2023 MOVEit and 2024 Cleo incidents.
5. Third-party vendor breach — vendor inventory cross-checked against known recent breach intel (Conduent, Young Consulting, Cierant, NASCO, Change Healthcare) — mirrors the 2024 software-vendor ransomware and 2024-25 back-office vendor incidents.
HIPAA Controls Evidenced
| 164.502 | 10 |
| 164.308(a)(1) | 7 |
| 164.308(a)(5) | 7 |
| 164.312(e) | 7 |
| 164.504 | 4 |
| 164.508 | 4 |
| 164.308(b) | 3 |
| 164.502(e) | 3 |
| 164.514 | 2 |
| 164.308(a)(4) | 2 |
| 164.312(b) | 2 |
| 164.530(c) | 2 |
| 164.314(a) | 2 |
Self-Learning (ORACLE improves every round)
| SCAN ROUNDS | 1 |
|---|
| FIRST SCAN | 2026-04-24T20:55:58.756179+00:00 |
|---|
| LAST SCAN | 2026-04-24T20:55:58.756182+00:00 |
|---|
| ANALYST FEEDBACK | 0 |
|---|
| TRUE POSITIVES | 0 |
|---|
| FALSE POSITIVES | 0 |
|---|
| ANALYST SUPPRESSIONS | 0 |
|---|
| DETECTOR | HITS | TP | FP | CONFIDENCE |
|---|
| file_transfer_cve | 7 | 0 | 0 | 0.85 |
| portal_tracker | 6 | 0 | 0 | 0.85 |
| phi_in_url | 2 | 0 | 0 | 0.85 |
| insider_email_exfil | 2 | 0 | 0 | 0.85 |
| vendor_breach_intel | 2 | 0 | 0 | 0.85 |
| vendor_missing_baa | 1 | 0 | 0 | 0.85 |
Each analyst verdict raises detector confidence. Suppressed findings are remembered across runs. State persists on disk as oracle_portal_learning.json.
Threat Intelligence Feed
| TRACKER SIGNATURES | 15 |
|---|
| FILE-TRANSFER CVES TRACKED | 9 |
|---|
| BREACHED VENDORS TRACKED | 5 |
|---|
| ACTIVE RANSOMWARE GROUPS | 15 |
|---|
| PHI QUERY PARAMS | 21 |
|---|
| PERSONAL WEBMAIL DOMAINS | 14 |
|---|
Feed updates daily. CVE cross-check runs on every scan. Vendor intel expands as new breaches are disclosed.
RECOMMENDED PACKAGE
ENTERPRISE
$300K / year (floor, scales with user count and records)
Findings span all five Blue-class leak patterns with double digit criticals. Enterprise tier includes unlimited users, all five detectors fully enabled, daily threat-feed updates, 24x7 on-call, quarterly red-team of the portal, and an SLA-backed breach response retainer.
ROI benchmark — Anchored against the $16M OCR Anthem fine and $115M Anthem class action, a single prevented incident returns 50x to 400x the subscription cost.
All Findings (20)
CRITICAL
file_transfer_cve
DETAILS ▼
Progress MOVEit Transfer exposed to CVE-2023-34362
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
FINDING FACTS
| PRODUCT | Progress MOVEit Transfer |
|---|
| VENDOR | Progress Software |
|---|
| HOST | mft01.regional-health.example |
|---|
| INSTALLED VERSION | 2022.0.2 |
|---|
| CVE | CVE-2023-34362 |
|---|
| CVSS | 9.8 |
|---|
| AFFECTED BEFORE | 2022.1.5 / 2022.0.4 / 2021.1.4 / 2021.0.6 |
|---|
| DESCRIPTION | SQL injection leading to RCE actively exploited by Clop ransomware group, source of the Blue Shield CA May 2023 breach |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756047+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-F6BFAAEDCFE1054B |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
CRITICAL
file_transfer_cve
DETAILS ▼
Progress MOVEit Transfer exposed to CVE-2023-35036
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
FINDING FACTS
| PRODUCT | Progress MOVEit Transfer |
|---|
| VENDOR | Progress Software |
|---|
| HOST | mft01.regional-health.example |
|---|
| INSTALLED VERSION | 2022.0.2 |
|---|
| CVE | CVE-2023-35036 |
|---|
| CVSS | 9.1 |
|---|
| AFFECTED BEFORE | None |
|---|
| DESCRIPTION | Additional SQLi in MOVEit Transfer |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756059+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-4F444E7B8001388B |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
CRITICAL
file_transfer_cve
DETAILS ▼
Progress MOVEit Transfer exposed to CVE-2023-36934
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
FINDING FACTS
| PRODUCT | Progress MOVEit Transfer |
|---|
| VENDOR | Progress Software |
|---|
| HOST | mft01.regional-health.example |
|---|
| INSTALLED VERSION | 2022.0.2 |
|---|
| CVE | CVE-2023-36934 |
|---|
| CVSS | 9.1 |
|---|
| AFFECTED BEFORE | None |
|---|
| DESCRIPTION | Third SQLi vector patched July 2023 |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756068+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-D71661F12300DB8A |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
CRITICAL
file_transfer_cve
DETAILS ▼
Cleo VLTrader / Harmony / LexiCom exposed to CVE-2024-50623
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
FINDING FACTS
| PRODUCT | Cleo VLTrader / Harmony / LexiCom |
|---|
| VENDOR | Cleo Communications |
|---|
| HOST | edi.regional-health.example |
|---|
| INSTALLED VERSION | 5.8.0.17 |
|---|
| CVE | CVE-2024-50623 |
|---|
| CVSS | 9.8 |
|---|
| AFFECTED BEFORE | 5.8.0.21 |
|---|
| DESCRIPTION | Unrestricted file upload leading to RCE, source of the BCBS Massachusetts Cierant breach December 2024 |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756086+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-9BF360D936C152FA |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
CRITICAL
file_transfer_cve
DETAILS ▼
Cleo VLTrader / Harmony / LexiCom exposed to CVE-2024-55956
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
FINDING FACTS
| PRODUCT | Cleo VLTrader / Harmony / LexiCom |
|---|
| VENDOR | Cleo Communications |
|---|
| HOST | edi.regional-health.example |
|---|
| INSTALLED VERSION | 5.8.0.17 |
|---|
| CVE | CVE-2024-55956 |
|---|
| CVSS | 9.8 |
|---|
| AFFECTED BEFORE | 5.8.0.24 |
|---|
| DESCRIPTION | Patch-bypass of CVE-2024-50623, actively exploited |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756095+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-D46DF391EC693B0B |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
CRITICAL
file_transfer_cve
DETAILS ▼
Fortra GoAnywhere MFT exposed to CVE-2024-0204
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
FINDING FACTS
| PRODUCT | Fortra GoAnywhere MFT |
|---|
| VENDOR | Fortra |
|---|
| HOST | ga.regional-health.example |
|---|
| INSTALLED VERSION | 7.1.1 |
|---|
| CVE | CVE-2024-0204 |
|---|
| CVSS | 9.8 |
|---|
| AFFECTED BEFORE | None |
|---|
| DESCRIPTION | Authentication bypass to admin |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756114+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-AA232B7E5F82813A |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-CRITICAL |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
CRITICAL
insider_email_exfil
DETAILS ▼
Outbound email to personal webmail (gmail.com)
Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway...
FINDING FACTS
| FROM | k.santos@regional-health.example |
|---|
| TO | k.santos@gmail.com |
|---|
| TO DOMAIN | gmail.com |
|---|
| SUBJECT | member roster backup |
|---|
| ATTACHMENTS | member-roster-Q2.xlsx |
|---|
| SIZE (BYTES) | 4194304 |
|---|
| PHI SIGNATURES | |
|---|
| RISK FACTORS | has_attachment, attachment_over_1mb, bulk_data_file_type, self_send_to_personal_account |
|---|
| DETECTED AT | 2026-04-24T20:55:58.755948+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-100A8EDB801B3BF5 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Insider Threat |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-INSIDER-EXFIL-BLOCK |
|---|
| HIPAA | 164.308(a)(4), 164.312(b), 164.502, 164.530(c) |
|---|
RECOMMENDED ACTION
Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway for employees with PHI access.
CRITICAL
insider_email_exfil
DETAILS ▼
Outbound email to personal webmail (yahoo.com)
Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway...
FINDING FACTS
| FROM | r.kim@regional-health.example |
|---|
| TO | r.kim.personal@yahoo.com |
|---|
| TO DOMAIN | yahoo.com |
|---|
| SUBJECT | claims overflow |
|---|
| ATTACHMENTS | claims-export.csv |
|---|
| SIZE (BYTES) | 812000 |
|---|
| PHI SIGNATURES | ssn, mrn, dob |
|---|
| RISK FACTORS | has_attachment, bulk_data_file_type, phi_signatures_present, self_send_to_personal_account |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756012+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-204A4AF4A53EAE60 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Insider Threat |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-INSIDER-EXFIL-BLOCK |
|---|
| HIPAA | 164.308(a)(4), 164.312(b), 164.502, 164.530(c) |
|---|
RECOMMENDED ACTION
Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway for employees with PHI access.
CRITICAL
phi_in_url
DETAILS ▼
PHI identifier exposed in URL
Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs,...
FINDING FACTS
| URL | https://portal.regional-health.example/claim?mrn=MRN-884412&dob=04/17/1974 |
|---|
| MATCHED PARAMS | mrn, dob |
|---|
| PHI IN PATH | |
|---|
| PHI IN QUERY | dob, mrn |
|---|
| DETECTED AT | 2026-04-24T20:55:58.755817+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-5811D80CBB52CB50 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-URL-PHI-BLOCK |
|---|
| HIPAA | 164.502, 164.514 |
|---|
RECOMMENDED ACTION
Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs, referrer headers, and analytics pipelines.
CRITICAL
phi_in_url
DETAILS ▼
PHI identifier exposed in URL
Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs,...
FINDING FACTS
| URL | https://portal.regional-health.example/auth?member_id=SUB-221199&ssn=123-45-6789 |
|---|
| MATCHED PARAMS | member_id, ssn |
|---|
| PHI IN PATH | |
|---|
| PHI IN QUERY | ssn |
|---|
| DETECTED AT | 2026-04-24T20:55:58.755873+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-DFAB2D36879A2546 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-URL-PHI-BLOCK |
|---|
| HIPAA | 164.502, 164.514 |
|---|
RECOMMENDED ACTION
Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs, referrer headers, and analytics pipelines.
CRITICAL
portal_tracker
DETAILS ▼
Tracker google_analytics present on analytics surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
FINDING FACTS
| URL | https://portal.regional-health.example/login |
|---|
| TRACKER | google_analytics |
|---|
| CATEGORY | analytics |
|---|
| MATCH TOKEN | googletagmanager.com |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-24T20:55:58.755509+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-3E0451A902399E93 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.504, 164.508 |
|---|
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
CRITICAL
portal_tracker
DETAILS ▼
Tracker meta_pixel present on advertising surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
FINDING FACTS
| URL | https://portal.regional-health.example/login |
|---|
| TRACKER | meta_pixel |
|---|
| CATEGORY | advertising |
|---|
| MATCH TOKEN | connect.facebook.net |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-24T20:55:58.755540+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-4454BE9075F7B2BD |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.508 |
|---|
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
CRITICAL
portal_tracker
DETAILS ▼
Tracker hotjar present on session_replay surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
FINDING FACTS
| URL | https://portal.regional-health.example/login |
|---|
| TRACKER | hotjar |
|---|
| CATEGORY | session_replay |
|---|
| MATCH TOKEN | static.hotjar.com |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-24T20:55:58.755568+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-224F695A69CFB1D7 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.504 |
|---|
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
CRITICAL
portal_tracker
DETAILS ▼
Tracker google_analytics present on analytics surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
FINDING FACTS
| URL | https://portal.regional-health.example/account |
|---|
| TRACKER | google_analytics |
|---|
| CATEGORY | analytics |
|---|
| MATCH TOKEN | googletagmanager.com |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-24T20:55:58.755616+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-FB75969F1DD05FAA |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.504, 164.508 |
|---|
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
CRITICAL
portal_tracker
DETAILS ▼
Tracker meta_pixel present on advertising surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
FINDING FACTS
| URL | https://portal.regional-health.example/account |
|---|
| TRACKER | meta_pixel |
|---|
| CATEGORY | advertising |
|---|
| MATCH TOKEN | connect.facebook.net |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-24T20:55:58.755636+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-8E1324F03CB566AF |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.508 |
|---|
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
CRITICAL
portal_tracker
DETAILS ▼
Tracker hotjar present on session_replay surface
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
FINDING FACTS
| URL | https://portal.regional-health.example/account |
|---|
| TRACKER | hotjar |
|---|
| CATEGORY | session_replay |
|---|
| MATCH TOKEN | static.hotjar.com |
|---|
| PHI PAGE CONTEXT | True |
|---|
| DETECTED AT | 2026-04-24T20:55:58.755661+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-73295ED85DA83294 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Security / Privacy |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-PORTAL-TRACKER-BLOCK |
|---|
| HIPAA | 164.502, 164.504 |
|---|
RECOMMENDED ACTION
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
CRITICAL
vendor_breach_intel
DETAILS ▼
Vendor match against recent breach intel: Conduent Business Services
Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notification...
FINDING FACTS
| VENDOR | Conduent Business Services |
|---|
| BREACH WINDOW | 2024-10-21 to 2025-01-13 |
|---|
| RANSOMWARE GROUP | None |
|---|
| US REACH | 25000000 |
|---|
| BAA ON FILE | True |
|---|
| SERVICES | print, mail, PHI |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756128+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-18CA2EA4B6EDD206 |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vendor / Third Party |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-VENDOR-BREACH-INTEL-MATCH |
|---|
| HIPAA | 164.308(b), 164.314(a), 164.502(e) |
|---|
RECOMMENDED ACTION
Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notifications if PHI transited the vendor in the breach window.
CRITICAL
vendor_breach_intel
DETAILS ▼
Vendor match against recent breach intel: Young Consulting / Connexure
Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notification...
FINDING FACTS
| VENDOR | Young Consulting / Connexure |
|---|
| BREACH WINDOW | 2024-04-10 to 2024-04-13 |
|---|
| RANSOMWARE GROUP | BlackSuit |
|---|
| US REACH | 954177 |
|---|
| BAA ON FILE | True |
|---|
| SERVICES | stop loss software |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756140+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-E7FD012C788CC09A |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vendor / Third Party |
|---|
| PRIORITY | P1 |
|---|
| POLICY | ORACLE-VENDOR-BREACH-INTEL-MATCH |
|---|
| HIPAA | 164.308(b), 164.314(a), 164.502(e) |
|---|
RECOMMENDED ACTION
Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notifications if PHI transited the vendor in the breach window.
HIGH
file_transfer_cve
DETAILS ▼
Fortra GoAnywhere MFT exposed to CVE-2023-0669
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance b...
FINDING FACTS
| PRODUCT | Fortra GoAnywhere MFT |
|---|
| VENDOR | Fortra |
|---|
| HOST | ga.regional-health.example |
|---|
| INSTALLED VERSION | 7.1.1 |
|---|
| CVE | CVE-2023-0669 |
|---|
| CVSS | 7.2 |
|---|
| AFFECTED BEFORE | None |
|---|
| DESCRIPTION | Pre-auth RCE exploited by Clop for mass data theft |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756106+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-E67E261B63EE660C |
|---|
| TYPE | INC |
|---|
| CATEGORY | Vulnerability |
|---|
| PRIORITY | P2 |
|---|
| POLICY | ORACLE-FILE-TRANSFER-CVE-HIGH |
|---|
| HIPAA | 164.308(a)(1), 164.308(a)(5), 164.312(e) |
|---|
RECOMMENDED ACTION
Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
HIGH
vendor_missing_baa
DETAILS ▼
Vendor missing BAA: New Analytics Startup
Execute a Business Associate Agreement before any further PHI exchange. If the vendor refuses, stop the data flow within 30 days.
FINDING FACTS
| VENDOR | New Analytics Startup |
|---|
| SERVICES | claims, PHI |
|---|
| DETECTED AT | 2026-04-24T20:55:58.756152+00:00 |
|---|
ATTACHED TICKET
| TICKET ID | ORACLE-066B59644BF8958E |
|---|
| TYPE | CHG |
|---|
| CATEGORY | Vendor / Third Party |
|---|
| PRIORITY | P2 |
|---|
| POLICY | ORACLE-VENDOR-MISSING-BAA |
|---|
| HIPAA | 164.308(b), 164.502(e) |
|---|
RECOMMENDED ACTION
Execute a Business Associate Agreement before any further PHI exchange. If the vendor refuses, stop the data flow within 30 days.
TITAN AI · ORACLE Portal + Vendor Risk Pack · Generated 2026-04-24T20:55:58.758833+00:00