Demo Mode

Every screen, flow, export, and remediation path is the real Veri-Guard product. The specific findings, scores, and runbooks shown are curated to illustrate a typical before/after story. Your tenant scan produces your own numbers.

Get started
Veri-Tech
Back to Veri-Vault
Drill bundleHIPAAmidmarket · 7 roles6-year WORM retention

Misdirected fax exposes 312 patient records to competitor's office

Your HIPAA scan flagged that fax-out workflow has no validation step. This scenario walks the §164.402 4-factor and §164.404 notification mechanics for a misdirected-PHI event.

NIST CSF
Respond (RS.CO, RS.AN)
Generated at
May 7, 2026, 14:32 UTC
Source job
demo-hipaa-0501
Source checksum
sha256:c47e…91d3

Run drill — live (demo)

Try the live drill runner — timer, inject Drop buttons, response capture, scoring rubric, the lock flow, AI Coaching feedback simulation, and the spectator URL handoff for attendees. No tokens consumed; no audit record produced. The lock will synthesize a real-looking session checksum (browser SHA-256) so you can see the locked-evidence view.

Open demo runner

Bundle versions & edit history

Draft · editable

This drill bundle is editable until the first session is created. Each save appends a new version (v1, v2, …) with a SHA-256 captured in the audit chain — auditors can see exactly what changed, when, and by whom. The first Run drill click freezes the bundle: whatever version is active at that moment becomes the locked auditor-evidence source for every session that follows.

View version

Sessions started right now will run against v1. The bundle freezes at v1 the first time someone clicks Run drill — make any edits before then.

Misdirected fax exposes 312 patient records to competitor's office

HIPAA · v1.0.0

Your HIPAA scan flagged that fax-out workflow has no validation step. This scenario walks the §164.402 4-factor and §164.404 notification mechanics for a misdirected-PHI event.

HIPAA §164.402HIPAA §164.404HIPAA §164.408NIST CSFHHS 405(d) HICP
NIST CSF
Respond (RS.CO, RS.AN)
Duration
75–90 minutes (longer than other tabletops because §164.402 + §164.404 require careful documentation)
Injects
6 timed
Rubric
7 criteria

On a Wednesday at 14:08 ET, a billing clerk at your organization fax-batches 312 patient encounter summaries to what they believe is the third-party billing service. The destination number was off by one digit; the fax actually landed at a competing healthcare practice's general office line. The competing practice's office manager calls your privacy officer 47 minutes later and politely asks 'Did you mean to send us 312 of someone's patient records?' The fax is paper-only at the receiving end (their MFP printed it).

Threat actor: None. This is an unauthorized disclosure due to internal process failure, not a malicious actor. Most HIPAA breaches are this category.

Attack chain

  1. 1
    Cause: Fax destination was hand-keyed by a clerk; no second-person check, no fax-cover-sheet validation, no destination whitelist.
  2. 2
    Disclosure: 312 encounter summaries print at unrelated organization. Receiving organization's office manager picks them up from MFP.
  3. 3
    Notification (inbound): Receiving practice calls your privacy officer at 14:55 ET to flag the misdirection.
  4. 4
    Mitigation window: From 14:08 to 14:55, the fax pages were physically present at receiving organization. Multiple staff may have walked past the printer.

Affected assets

  • 312 patient encounter summaries (PHI: name, DOB, MRN, visit date, diagnosis codes, billing codes)
  • Patient trust + reputation
  • OCR breach reporting requirement (§164.408 — likely required since count >500 across rolling 12mo)
  • Optional state AG notification (depending on state)

Linked scan findings

Control IDSeverityFinding
HIPAA-AS-002High
No documented fax-validation procedure for outbound PHI
AdministrativeRequired
HIPAA-AS-014Medium
No documented training on minimum-necessary disclosure standard
AdministrativeAddressable
HIPAA-PS-008Medium
Workforce sanction policy not documented for accidental disclosure
AdministrativeRequired

Generated from HIPAA scan demo-hipaa-0501 on 2026-05-07. This is facilitator material — verify scenario specifics against your tenant before use. Veri-Tech does not warrant scenario fitness for any specific audit framework; pair with the source scan job (which IS auditor evidence) and your own IR plan and Notice of Privacy Practices.

AI generation provenance

Model
claude-haiku-4-5-20251001
Template version
v1.0.0
Generated at
May 7, 2026, 14:32 UTC
Org-shape snapshot
midmarket · 7 roles frozen at generation time

Auditors verify AI-generation lineage by reading _manifest.json in the source bundle (full token + cache accounting, generation timestamps, SHA-256 cross-references). The auditor ZIP carries it verbatim.

Auditor-grade artifacts

The three audience-tailored downloads below are demo replicas of what a locked session would produce — full Team Debrief PDF, board-packet Executive Brief PDF, and the Auditor ZIP with bundle audit chain + SHA-256 cross-references. The locked session backing these demo artifacts is pre-populated with realistic responses + scores so the PDFs render against meaningful content. Production artifacts ship with a 6-year WORM retention contract on a real Vault tenant; these are clearly watermarked as demo.

Edit history

Draft (editable)

Active version: v1. No sessions have been created yet — the bundle is still editable. The chain freezes at the first session creation.

  1. v1 Facilitator save·May 7, 2026, 14:42 UTC
    By
    demo.facilitator@veri-tech.net
    Bundle hash
    sha256:b9d4c8e3f2a1

    Tightened the T+25 min inject + added missing vendor-coordination workload to the IR plan

    Fields changed (1)
    • injects[1].content
  2. v0 AI baseline·May 7, 2026, 14:32 UTC
    By
    claude-haiku-4-5-20251001
    Bundle hash
    sha256:a8c3b7f2e1d9

Each version’s SHA-256 is captured in the IrTabletopBundleEdited / IrTabletopBundleFrozen audit events (App Insights, 6yr retention) and exported into the auditor ZIP’s manifest.json.

Demo mode: editable-drafts saves never touch a server, no Anthropic tokens are consumed, downloads carry a “DEMO ARTIFACT” watermark in their manifest disclaimer. In production: each save POSTs to /api/ir-tabletop-bundles/{drillId}/versions, computes a real server-side diff + SHA-256, appends to the WORM-protected audit chain, and emits an IrTabletopBundleEdited App Insights event with 6-year retention.