Public awareness and understanding around PHI breach events is extremely inconsistent and has been for years. For example, the OCR breach portal only provides a few types of general information, usually months after an event -e.g., number of people affected (often initially undercounted, often massively), name of covered entity (often listing an unclear spelling/format or alias, and often not the organization that was actually breached), type of breach (basically intentional hacker/insider or accidental), location of breach (overwhelmingly reported generically as either network server or email, without reference to specific hw/sw vendors or attacker TTPs), and free text description field that appears to be little more than a boilerplate restatement of the fixed field values, except for sometimes noting the specific types of PHI exposed (often added months or years after the attack and initially understated). In addition, edits to OCR entries are made without notice or version-tracking via a javascript content viewer that obfuscates automated archiving for version change analysis. As poor and inconsistent as the OCR portal data is today and has been for many years, I believe it can provide value as an input for higher intelligence. Specifically, an evidence-linked knowledge graph for PHI breach events that combines OCR data with other sources in real time -e.g., darknet posts, social media, news reports, breach letters, vendor reports, legal actions, SEC filings, State AG reports/portals, CISA/FBI reports, etc. My preliminary findings indicate two types of value from this level of curated-interconnected intelligence: (1) smarter vendor/supply-chain risk intelligence; (2) smarter risk-liability-cost intelligence (by mapping the full breach event lifecycle, reverse engineering legal settlements and regulator penalties back to the root risk -i.e., when did the risk-liability arise, and why it may not have been immediately recognized). Can you think of any other use cases? Target buyers? Suggested scope/focus for MVP?
Yes. The strongest product framing is not “better OCR breach data.” It is evidence-linked PHI breach intelligence that reconstructs what actually happened, when it became knowable, who was exposed through whom, and what risk/liability followed.
OCR is still valuable, but as a delayed, mutable, weakly normalized signal. The HHS portal is required to post breaches affecting 500+ individuals, and the current public table is limited to fields such as covered entity, state, entity type, affected count, submission date, breach type, breach location, BA present, and description. (OCR Portal) HHS also explicitly allows estimates and later addenda when more information becomes available, which makes versioning and delta capture a real intelligence feature, not just a nice-to-have. (HHS.gov) The Change Healthcare example validates your undercount thesis especially well: HHS says the initial OCR report listed “500” affected individuals because that is the minimum portal threshold, while later updates reached approximately 192.7 million impacted individuals. (HHS.gov)
1. Breach identity resolution.
A “PHI breach resolver” that answers: Is this OCR row, state AG notice, vendor notice, class action, and SEC filing the same event or different events? This is foundational because healthcare breach reporting often fragments one real-world incident across many covered entities, aliases, subsidiaries, business associates, and notification letters.
2. Fourth-party exposure mapping.
Beyond vendor risk, the graph can expose hidden chains: covered entity → business associate → subcontractor → software product → exploited vulnerability → threat actor campaign. This is especially valuable for healthcare because OCR reporting can list the covered entity while the operational breach occurred at a BA, software vendor, clearinghouse, file-transfer provider, billing vendor, cloud host, or subcontractor.
3. Notification-clock and delay intelligence.
Map breach occurrence, discovery, BA notice to covered entities, individual notice, OCR submission, state AG posting, media notice, SEC disclosure, and later amendments. HIPAA reporting for 500+ individuals is tied to “without unreasonable delay” and no later than 60 calendar days from discovery, and business associates also have 60-day notice duties to covered entities. (HHS.gov) That makes timing analysis commercially useful for legal, compliance, and insurer buyers.
4. Control-failure intelligence.
Translate events from “Hacking/IT Incident / Network Server” into actual root-risk language: SQL injection, no MFA, exposed remote access, delayed patching, weak segmentation, excessive retention, insecure MFT architecture, poor vendor monitoring, inadequate logging, etc. This can be mapped to HHS HICP / HPH cybersecurity performance goals, which explicitly frame cybersecurity as patient-safety protection and prioritize practices against common healthcare threats. (HHS Cyber Gateway)
5. Legal/regulatory comparables.
For each breach type, show comparable lawsuits, settlements, OCR actions, AG actions, class-action theories, affected counts, data types, delays, remediation claims, and settlement ranges. OCR’s 2026 MMG Fusion settlement is a useful proof point because OCR tied a 15-million-person breach to HIPAA Privacy, Security, and Breach Notification issues, and described risk analysis as requiring an accurate and thorough assessment of risks to ePHI. (HHS.gov)
6. SEC and board materiality support.
For public companies, a cyber incident can trigger Form 8-K disclosure within four business days after a materiality determination, and annual 10-K cyber risk/governance disclosures are now part of the reporting environment. (SEC) A PHI breach graph can help counsel and boards answer: What did we know? What should we have known? Was the vendor/system/risk already visible in prior events?
7. Loss modeling / cyber insurance underwriting.
Insurers and reinsurers need better data on severity drivers: affected count inflation, data type sensitivity, business-associate involvement, operational disruption, ransomware vs theft-only, notification complexity, litigation rate, regulatory follow-on, and settlement trajectory. Your graph could become an underwriting and claims-reserving dataset.
8. Procurement and BAA negotiation intelligence.
Before signing with a healthcare vendor, a buyer could ask: Has this vendor, product category, parent company, or subcontractor appeared in PHI breach chains? What was the root cause? Did clients get timely notice? Were counts amended upward? Were lawsuits filed? This is much more actionable than a static SOC 2 or security questionnaire.
9. Evidence preservation / audit trail.
A versioned evidence dossier has standalone value. OCR rows, breach letters, AG pages, vendor FAQs, press releases, and court documents change or disappear. An evidence-linked graph can answer not only what is true now but what was publicly visible on a specific date.
10. Security vendor market intelligence.
Security vendors could use the graph to identify demand signals: hospitals exposed through MFT, organizations with recurring email compromise, BA clusters with weak incident notice, or sectors repeatedly hit by specific TTPs. This is a secondary use case, but it may be easier to monetize than selling directly to small providers.
The best initial buyers are not the general public and probably not regulators. They benefit from the data, but they are weak first customers. The first commercial buyers should have urgent risk, legal, underwriting, or vendor-management pain.
Buyer
Why they care
Best product angle
Healthcare cyber insurers / reinsurers
Need better severity, aggregation, and claims models
PHI breach loss intelligence dataset
Breach counsel / privacy law firms
Need timelines, comparables, liability theories, notice evidence
Evidence-backed breach lifecycle dossiers
Plaintiff / defense litigation teams
Need causation, delay, data-type, and settlement comparables
Legal intelligence + event reconstruction
Health system vendor-risk teams
Need to know which vendors/products create real breach exposure
Vendor / BA exposure graph
Payers and clearinghouses
High downstream exposure and regulatory pressure
Supply-chain breach monitoring
Healthcare MSSPs / GRC consultants
Need differentiated intelligence for clients
API/data layer for advisory work
Public-company legal / IR / board teams
Need materiality and disclosure context
SEC cyber incident context + comparables
Security vendors
Need account targeting and category risk proof
Market intelligence from breach patterns
My suggested first commercial wedge: cyber insurance + breach/privacy law firms. They have clearer willingness to pay for curated, evidence-backed intelligence than small providers, and they do not require you to become a full GRC workflow platform on day one.
Do not start with “all PHI breaches.” That is too broad and turns into data janitorial work. Start with:
PHI Supply-Chain Breach Intelligence: MOVEit/CL0P and comparable vendor-originated healthcare breach cascades.
This is a strong MVP because MOVEit gives you a bounded but complex campaign: many covered entities, many business associates, one software product, one exploited vulnerability, one attacker campaign, many OCR entries, many notification letters, and downstream litigation/regulatory effects. CISA/FBI publicly tied CL0P/TA505 activity to exploitation of MOVEit Transfer CVE-2023-34362, giving you a clean campaign anchor. (CISA)
Who was actually breached?
Covered entity vs business associate vs vendor vs product vs subcontractor.
What was the real technical root?
Not “Network Server,” but product, CVE, TTP, exploit window, attacker, and mitigation window.
How did the reported impact change over time?
Affected-count timeline, OCR amendments, state notices, vendor updates, and conflicting numbers.
What data types and harms were involved?
Demographic, clinical, financial, SSN, claims, diagnosis, medications, insurance IDs, etc.
What legal/regulatory lifecycle followed?
OCR row, state AG notice, breach letter, lawsuits, consolidated actions, settlements, enforcement, SEC disclosure, remediation claims.
Core entities:
BreachEvent, Campaign, CoveredEntity, BusinessAssociate, Vendor, SoftwareProduct, Vulnerability, ThreatActor, Report, EvidenceAsset, Notification, LegalAction, RegulatoryAction, DataType, AffectedCountEstimate, ControlFailure, Mitigation.
Critical design choice: make affected count and PHI type time-series assertions, not static attributes. Each value should have source, date observed, date published, confidence, and screenshot/archive evidence.
For a pilot, I would build three outputs:
Interactive graph view
Campaign → vendor/product → BA → covered entities → affected counts → legal/regulatory artifacts.
Evidence dossier per breach event
OCR screenshot, OCR CSV/XML snapshot where possible, breach letter, state AG page, vendor advisory, CISA/advisory link, lawsuit docket, SEC filing if applicable, and archived copies.
Analyst brief / API export
“Top vendor-originated PHI breach cascades,” “largest upward count revisions,” “OCR label vs actual root cause,” “entities with BA-caused notice complexity,” “litigation comparables.”
Exclude broad darknet monitoring as a core MVP feature. Keep it as a high-confidence signal source only when it directly links to a breach event. Darknet ingestion creates operational, evidentiary, and safety complexity. The MVP should win on normalization, evidence, versioning, and lifecycle reconstruction, not on being another threat-feed scraper.
Also avoid positioning this as an “AI risk score” first. The stronger claim is:
Every breach claim is evidence-linked, versioned, normalized, and explainable. AI accelerates extraction; the product value is the defensible intelligence graph.
The most precise wedge:
Torgen maps PHI breach events from first signal to final liability, showing who was actually breached, which vendor/product/root risk caused exposure, how reported impact changed over time, and what legal/regulatory consequences followed.
That directly supports your two strongest value propositions: smarter vendor/supply-chain risk intelligence and smarter risk-liability-cost intelligence. The third major value proposition is time-aware evidence integrity: knowing not just what happened, but what was publicly knowable at each point in the breach lifecycle.