fischer-healthcare-breach — PHI exfil + audit gap cluster

what this proves

• all eight healthcare-breach primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (280/280 fleet · 8 for this scenario).
• every output is generated 100% locally in your browser — export audit logs, never upload PHI.
• DICOM PHI tags, Access registry bulk exports, M365 SharePoint exfil, EVTX audit gaps, SIEM silence, tampered audit trails, and chain-of-custody gaps surface without sending evidence to a server.

primary engines locked to this fixture

• dicom-metadata-forensics
• access-database-forensics
• office365-audit-log-analyzer
• microsoft365-audit-log-analyzer
• log-gap-analyzer
• log-ingestion-gap-detector
• log-authenticity-scorer
• chain-of-custody-gap-detector

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for healthcare-breach — no upload.

download the synthetic evidence

MIT-licensed, fully synthetic. includes DICOM .dcm with PHI tags, Access .mdb patient registry, M365 unified audit json, security EVTX with audit cleared, SIEM ingestion csv, exported audit trail text, and chain-of-custody csv.

built deterministically from scripts/fixtures/build-fischer-healthcare-breach.mjs. seed: fischer-healthcare-breach:v1.

methodology

phi scope starts with what actually left the pacs — walk dicom metadata → access registry → ual exports → log gap → ingestion gap → authenticity → chain of custody. de-identified labels do not mean de-identified tags. read the full healthcare data breach guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across dicom phi export, access registry bulk, m365 sharepoint download, security evtx gap, and chain-of-custody break — still zero upload.