‹ Back to Diagnose

Diagnose / detail

ACME Corp
critical

Unencrypted patient data in a legacy datastore

A breach here is an automatic HIPAA + GDPR reportable event — penalties scale with revenue and record count.

HIPAA →GDPR →NIST CSF → Unmet — encryption config snapshot missing

Root cause

A legacy reporting datastore predates the managed-KMS standard and holds patient records in plaintext at rest. It is outside the encryption baseline applied to the primary databases.

Business impact

Any exposure of this store is an automatic HIPAA + GDPR reportable breach. Penalties scale with revenue and record count, and the regulator will ask who signed off on the control state.

Mapped controls

NIST PR.DS-01
Fails while this gap is open
HIPAA §164.312(a)(2)(iv)
Fails while this gap is open
GDPR Art 32
Fails while this gap is open

Drives loss scenarios

Cloud data exfiltration
ALE $1.1M · Mitigating
Open →
PHI breach (legacy store)
ALE $640K · Open
Open →

The fix

Closes this gap
Encrypt the legacy datastore at rest and rotate keys to the managed KMS
~2 weeks · Data Engineering · satisfies 3 frameworks
Open action →