{ "report_id": "OPP-20260424-205558", "generated_at": "2026-04-24T20:55:58.758833+00:00", "tenant": "Regional Health Plan (Blue-class Demo)", "pack": "ORACLE Portal + Vendor Risk", "pack_version": "1.0.0", "summary": { "total_findings": 20, "by_severity": { "critical": 18, "high": 2, "medium": 0, "low": 0 }, "by_detector": { "portal_tracker": 6, "phi_in_url": 2, "insider_email_exfil": 2, "file_transfer_cve": 7, "vendor_breach_intel": 2, "vendor_missing_baa": 1 }, "hipaa_controls_exercised": { "164.502": 10, "164.504": 4, "164.508": 4, "164.514": 2, "164.308(a)(4)": 2, "164.312(b)": 2, "164.530(c)": 2, "164.308(a)(1)": 7, "164.308(a)(5)": 7, "164.312(e)": 7, "164.308(b)": 3, "164.314(a)": 2, "164.502(e)": 3 } }, "threat_feed": { "ransomware_groups_tracked": 15, "breached_vendors_tracked": 5, "file_transfer_cves_tracked": 9, "tracker_signatures_tracked": 15, "phi_query_params_tracked": 21, "personal_email_domains_tracked": 14, "top_critical_cves": [ { "id": "CVE-2023-40044", "cvss": 10.0, "product": "Progress WS_FTP Server" }, { "id": "CVE-2023-34362", "cvss": 9.8, "product": "Progress MOVEit Transfer" }, { "id": "CVE-2024-50623", "cvss": 9.8, "product": "Cleo VLTrader / Harmony / LexiCom" }, { "id": "CVE-2024-55956", "cvss": 9.8, "product": "Cleo VLTrader / Harmony / LexiCom" }, { "id": "CVE-2024-0204", "cvss": 9.8, "product": "Fortra GoAnywhere MFT" }, { "id": "CVE-2021-27101", "cvss": 9.8, "product": "Accellion FTA (legacy)" } ] }, "learning": { "rounds": 1, "first_scan_at": "2026-04-24T20:55:58.756179+00:00", "last_scan_at": "2026-04-24T20:55:58.756182+00:00", "total_hits_all_time": 20, "total_feedback": 0, "true_positives": 0, "false_positives": 0, "suppressions": 0, "per_detector": [ { "detector": "file_transfer_cve", "hits": 7, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-24T20:55:58.756247+00:00" }, { "detector": "portal_tracker", "hits": 6, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-24T20:55:58.756209+00:00" }, { "detector": "phi_in_url", "hits": 2, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-24T20:55:58.756216+00:00" }, { "detector": "insider_email_exfil", "hits": 2, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-24T20:55:58.756223+00:00" }, { "detector": "vendor_breach_intel", "hits": 2, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-24T20:55:58.756254+00:00" }, { "detector": "vendor_missing_baa", "hits": 1, "tp": 0, "fp": 0, "confidence": 0.85, "last_seen": "2026-04-24T20:55:58.756258+00:00" } ] }, "package_recommendation": { "package": "ENTERPRISE", "price": "$300K / year (floor, scales with user count and records)", "rationale": "Findings span all five Blue-class leak patterns with double digit criticals. Enterprise tier includes unlimited users, all five detectors fully enabled, daily threat-feed updates, 24x7 on-call, quarterly red-team of the portal, and an SLA-backed breach response retainer.", "roi": "Anchored against the $16M OCR Anthem fine and $115M Anthem class action, a single prevented incident returns 50x to 400x the subscription cost." }, "targets_scanned": { "portal_pages": [ "https://portal.regional-health.example/login", "https://portal.regional-health.example/account", "https://www.regional-health.example/plans" ], "portal_urls": [ "https://portal.regional-health.example/claim?mrn=MRN-884412&dob=04/17/1974", "https://portal.regional-health.example/auth?member_id=SUB-221199&ssn=123-45-6789", "https://portal.regional-health.example/help" ], "email_events": [ { "from": "k.santos@regional-health.example", "to": [ "k.santos@gmail.com" ], "subject": "member roster backup" }, { "from": "r.kim@regional-health.example", "to": [ "r.kim.personal@yahoo.com" ], "subject": "claims overflow" }, { "from": "p.jones@regional-health.example", "to": [ "broker@acme-broker.example" ], "subject": "renewal pricing" }, { "from": "staff@regional-health.example", "to": [ "staff@regional-health.example" ], "subject": "meeting notes" } ], "file_transfer_appliances": [ { "product_key": "moveit_transfer", "host": "mft01.regional-health.example", "version": "2022.0.2" }, { "product_key": "cleo_vltrader", "host": "edi.regional-health.example", "version": "5.8.0.17" }, { "product_key": "goanywhere_mft", "host": "ga.regional-health.example", "version": "7.1.1" } ], "vendors": [ { "name": "Conduent Business Services", "services": [ "print", "mail", "PHI" ], "baa_on_file": true }, { "name": "Young Consulting / Connexure", "services": [ "stop loss software" ], "baa_on_file": true }, { "name": "New Analytics Startup", "services": [ "claims", "PHI" ], "baa_on_file": false }, { "name": "Regional Courier Service", "services": [ "print", "mail", "PHI" ], "baa_on_file": true } ] }, "findings": [ { "fid": "f6bfaaedcfe1054b", "detector": "file_transfer_cve", "title": "Progress MOVEit Transfer exposed to CVE-2023-34362", "severity": "critical", "product": "Progress MOVEit Transfer", "vendor": "Progress Software", "host": "mft01.regional-health.example", "installed_version": "2022.0.2", "cve": "CVE-2023-34362", "cvss": 9.8, "affected_before": "2022.1.5 / 2022.0.4 / 2021.1.4 / 2021.0.6", "description": "SQL injection leading to RCE actively exploited by Clop ransomware group, source of the Blue Shield CA May 2023 breach", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-24T20:55:58.756047+00:00" }, { "fid": "4f444e7b8001388b", "detector": "file_transfer_cve", "title": "Progress MOVEit Transfer exposed to CVE-2023-35036", "severity": "critical", "product": "Progress MOVEit Transfer", "vendor": "Progress Software", "host": "mft01.regional-health.example", "installed_version": "2022.0.2", "cve": "CVE-2023-35036", "cvss": 9.1, "affected_before": null, "description": "Additional SQLi in MOVEit Transfer", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-24T20:55:58.756059+00:00" }, { "fid": "d71661f12300db8a", "detector": "file_transfer_cve", "title": "Progress MOVEit Transfer exposed to CVE-2023-36934", "severity": "critical", "product": "Progress MOVEit Transfer", "vendor": "Progress Software", "host": "mft01.regional-health.example", "installed_version": "2022.0.2", "cve": "CVE-2023-36934", "cvss": 9.1, "affected_before": null, "description": "Third SQLi vector patched July 2023", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-24T20:55:58.756068+00:00" }, { "fid": "9bf360d936c152fa", "detector": "file_transfer_cve", "title": "Cleo VLTrader / Harmony / LexiCom exposed to CVE-2024-50623", "severity": "critical", "product": "Cleo VLTrader / Harmony / LexiCom", "vendor": "Cleo Communications", "host": "edi.regional-health.example", "installed_version": "5.8.0.17", "cve": "CVE-2024-50623", "cvss": 9.8, "affected_before": "5.8.0.21", "description": "Unrestricted file upload leading to RCE, source of the BCBS Massachusetts Cierant breach December 2024", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-24T20:55:58.756086+00:00" }, { "fid": "d46df391ec693b0b", "detector": "file_transfer_cve", "title": "Cleo VLTrader / Harmony / LexiCom exposed to CVE-2024-55956", "severity": "critical", "product": "Cleo VLTrader / Harmony / LexiCom", "vendor": "Cleo Communications", "host": "edi.regional-health.example", "installed_version": "5.8.0.17", "cve": "CVE-2024-55956", "cvss": 9.8, "affected_before": "5.8.0.24", "description": "Patch-bypass of CVE-2024-50623, actively exploited", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-24T20:55:58.756095+00:00" }, { "fid": "aa232b7e5f82813a", "detector": "file_transfer_cve", "title": "Fortra GoAnywhere MFT exposed to CVE-2024-0204", "severity": "critical", "product": "Fortra GoAnywhere MFT", "vendor": "Fortra", "host": "ga.regional-health.example", "installed_version": "7.1.1", "cve": "CVE-2024-0204", "cvss": 9.8, "affected_before": null, "description": "Authentication bypass to admin", "policy": "ORACLE-FILE-TRANSFER-CVE-CRITICAL", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-24T20:55:58.756114+00:00" }, { "fid": "100a8edb801b3bf5", "detector": "insider_email_exfil", "title": "Outbound email to personal webmail (gmail.com)", "severity": "critical", "from": "k.santos@regional-health.example", "from_domain": "regional-health.example", "to": "k.santos@gmail.com", "to_domain": "gmail.com", "subject": "member roster backup", "attachment_count": 1, "attachment_bytes": 4194304, "attachment_names": [ "member-roster-Q2.xlsx" ], "phi_signatures": [], "risk_factors": [ "has_attachment", "attachment_over_1mb", "bulk_data_file_type", "self_send_to_personal_account" ], "hipaa_citations": [ "164.308(a)(4)", "164.312(b)", "164.502", "164.530(c)" ], "policy": "ORACLE-INSIDER-EXFIL-BLOCK", "itil": { "type": "INC", "category": "Insider Threat" }, "recommendation": "Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway for employees with PHI access.", "detected_at": "2026-04-24T20:55:58.755948+00:00" }, { "fid": "204a4af4a53eae60", "detector": "insider_email_exfil", "title": "Outbound email to personal webmail (yahoo.com)", "severity": "critical", "from": "r.kim@regional-health.example", "from_domain": "regional-health.example", "to": "r.kim.personal@yahoo.com", "to_domain": "yahoo.com", "subject": "claims overflow", "attachment_count": 1, "attachment_bytes": 812000, "attachment_names": [ "claims-export.csv" ], "phi_signatures": [ "ssn", "mrn", "dob" ], "risk_factors": [ "has_attachment", "bulk_data_file_type", "phi_signatures_present", "self_send_to_personal_account" ], "hipaa_citations": [ "164.308(a)(4)", "164.312(b)", "164.502", "164.530(c)" ], "policy": "ORACLE-INSIDER-EXFIL-BLOCK", "itil": { "type": "INC", "category": "Insider Threat" }, "recommendation": "Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway for employees with PHI access.", "detected_at": "2026-04-24T20:55:58.756012+00:00" }, { "fid": "5811d80cbb52cb50", "detector": "phi_in_url", "title": "PHI identifier exposed in URL", "severity": "critical", "url": "https://portal.regional-health.example/claim?mrn=MRN-884412&dob=04/17/1974", "matched_param_names": [ "mrn", "dob" ], "phi_in_path": [], "phi_in_query_values": [ "dob", "mrn" ], "hipaa_citations": [ "164.502", "164.514" ], "policy": "ORACLE-PORTAL-URL-PHI-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs, referrer headers, and analytics pipelines.", "detected_at": "2026-04-24T20:55:58.755817+00:00" }, { "fid": "dfab2d36879a2546", "detector": "phi_in_url", "title": "PHI identifier exposed in URL", "severity": "critical", "url": "https://portal.regional-health.example/auth?member_id=SUB-221199&ssn=123-45-6789", "matched_param_names": [ "member_id", "ssn" ], "phi_in_path": [], "phi_in_query_values": [ "ssn" ], "hipaa_citations": [ "164.502", "164.514" ], "policy": "ORACLE-PORTAL-URL-PHI-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs, referrer headers, and analytics pipelines.", "detected_at": "2026-04-24T20:55:58.755873+00:00" }, { "fid": "3e0451a902399e93", "detector": "portal_tracker", "title": "Tracker google_analytics present on analytics surface", "tracker_id": "google_analytics", "category": "analytics", "severity": "critical", "phi_page_context": true, "match_token": "googletagmanager.com", "hipaa_citations": [ "164.502", "164.504", "164.508" ], "url": "https://portal.regional-health.example/login", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-24T20:55:58.755509+00:00" }, { "fid": "4454be9075f7b2bd", "detector": "portal_tracker", "title": "Tracker meta_pixel present on advertising surface", "tracker_id": "meta_pixel", "category": "advertising", "severity": "critical", "phi_page_context": true, "match_token": "connect.facebook.net", "hipaa_citations": [ "164.502", "164.508" ], "url": "https://portal.regional-health.example/login", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-24T20:55:58.755540+00:00" }, { "fid": "224f695a69cfb1d7", "detector": "portal_tracker", "title": "Tracker hotjar present on session_replay surface", "tracker_id": "hotjar", "category": "session_replay", "severity": "critical", "phi_page_context": true, "match_token": "static.hotjar.com", "hipaa_citations": [ "164.502", "164.504" ], "url": "https://portal.regional-health.example/login", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-24T20:55:58.755568+00:00" }, { "fid": "fb75969f1dd05faa", "detector": "portal_tracker", "title": "Tracker google_analytics present on analytics surface", "tracker_id": "google_analytics", "category": "analytics", "severity": "critical", "phi_page_context": true, "match_token": "googletagmanager.com", "hipaa_citations": [ "164.502", "164.504", "164.508" ], "url": "https://portal.regional-health.example/account", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-24T20:55:58.755616+00:00" }, { "fid": "8e1324f03cb566af", "detector": "portal_tracker", "title": "Tracker meta_pixel present on advertising surface", "tracker_id": "meta_pixel", "category": "advertising", "severity": "critical", "phi_page_context": true, "match_token": "connect.facebook.net", "hipaa_citations": [ "164.502", "164.508" ], "url": "https://portal.regional-health.example/account", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-24T20:55:58.755636+00:00" }, { "fid": "73295ed85da83294", "detector": "portal_tracker", "title": "Tracker hotjar present on session_replay surface", "tracker_id": "hotjar", "category": "session_replay", "severity": "critical", "phi_page_context": true, "match_token": "static.hotjar.com", "hipaa_citations": [ "164.502", "164.504" ], "url": "https://portal.regional-health.example/account", "policy": "ORACLE-PORTAL-TRACKER-BLOCK", "itil": { "type": "INC", "category": "Security / Privacy" }, "recommendation": "Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.", "detected_at": "2026-04-24T20:55:58.755661+00:00" }, { "fid": "18ca2ea4b6edd206", "detector": "vendor_breach_intel", "title": "Vendor match against recent breach intel: Conduent Business Services", "severity": "critical", "vendor": "Conduent Business Services", "baa_on_file": true, "services": [ "print", "mail", "PHI" ], "breach_window": "2024-10-21 to 2025-01-13", "ransomware_group": null, "reach_us": 25000000, "citation": [ "Blue Shield of California", "Blue Shield Promise Health Plan", "multiple Blue Cross Blue Shield plans" ], "policy": "ORACLE-VENDOR-BREACH-INTEL-MATCH", "itil": { "type": "INC", "category": "Vendor / Third Party" }, "hipaa_citations": [ "164.308(b)", "164.314(a)", "164.502(e)" ], "recommendation": "Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notifications if PHI transited the vendor in the breach window.", "detected_at": "2026-04-24T20:55:58.756128+00:00" }, { "fid": "e7fd012c788cc09a", "detector": "vendor_breach_intel", "title": "Vendor match against recent breach intel: Young Consulting / Connexure", "severity": "critical", "vendor": "Young Consulting / Connexure", "baa_on_file": true, "services": [ "stop loss software" ], "breach_window": "2024-04-10 to 2024-04-13", "ransomware_group": "BlackSuit", "reach_us": 954177, "citation": [ "Blue Shield of California" ], "policy": "ORACLE-VENDOR-BREACH-INTEL-MATCH", "itil": { "type": "INC", "category": "Vendor / Third Party" }, "hipaa_citations": [ "164.308(b)", "164.314(a)", "164.502(e)" ], "recommendation": "Treat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notifications if PHI transited the vendor in the breach window.", "detected_at": "2026-04-24T20:55:58.756140+00:00" }, { "fid": "e67e261b63ee660c", "detector": "file_transfer_cve", "title": "Fortra GoAnywhere MFT exposed to CVE-2023-0669", "severity": "high", "product": "Fortra GoAnywhere MFT", "vendor": "Fortra", "host": "ga.regional-health.example", "installed_version": "7.1.1", "cve": "CVE-2023-0669", "cvss": 7.2, "affected_before": null, "description": "Pre-auth RCE exploited by Clop for mass data theft", "policy": "ORACLE-FILE-TRANSFER-CVE-HIGH", "itil": { "type": "INC", "category": "Vulnerability" }, "hipaa_citations": [ "164.308(a)(1)", "164.308(a)(5)", "164.312(e)" ], "recommendation": "Patch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.", "detected_at": "2026-04-24T20:55:58.756106+00:00" }, { "fid": "066b59644bf8958e", "detector": "vendor_missing_baa", "title": "Vendor missing BAA: New Analytics Startup", "severity": "high", "vendor": "New Analytics Startup", "services": [ "claims", "PHI" ], "policy": "ORACLE-VENDOR-MISSING-BAA", "itil": { "type": "CHG", "category": "Vendor / Third Party" }, "hipaa_citations": [ "164.308(b)", "164.502(e)" ], "recommendation": "Execute a Business Associate Agreement before any further PHI exchange. If the vendor refuses, stop the data flow within 30 days.", "detected_at": "2026-04-24T20:55:58.756152+00:00" } ], "bsca_pattern_coverage": { "web_tracker_phi_leak": "PortalTrackerScanner", "phi_in_url": "PhiInUrlScanner", "insider_email_exfiltration": "InsiderEmailExfilScanner", "file_transfer_cve_exposure": "FileTransferRiskScanner", "third_party_vendor_breach": "VendorBreachMonitor" } }