Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

I was on ABC News recently discussing why banks are on alert as new AI systems like Anthropic’s Claude Mythos raise cybersecurity concerns. What struck me most is how quickly the conversation has shifted. This is no longer a hypothetical risk or something we are planning for in the future. Financial institutions and regulators are reacting in real time to what AI is already capable of doing. From my perspective, we are still underestimating how fast this is moving.

Organizations have invested heavily in consent management. Consent Management Platforms (CMPs) are standard infrastructure for privacy programs, and for good reason. Regulations like GDPR, CCPA/CPRA, LGPD, PDPA, and HIPAA require organizations to obtain, record, and honor user consent before collecting or processing personal data. CMPs provide the framework to do that. Most organizations have done the right thing, they just don’t know if they’ve done the right thing right.

When a patient logs into a billing portal, two of the most heavily regulated data types in the U.S. end up in the same browser session. PHI like health history, insurance providers, and diagnoses, renders right alongside the card entry fields they’ll use to pay. And with them load the third-party scripts that marketing manages. Analytics, heatmaps, A/B testing, conversion tracking. These tools are how growth teams optimize revenue and product teams improve the experience.

Consent management platforms were a reasonable first answer to GDPR. Capture the choice, log it, and move on. For a while, that felt like compliance. It wasn’t. A logged preference and an enforced preference are two different things. When a user clicks reject all, the legal obligation isn’t just to record that click, but it’s also to ensure no tracking script executes after that. Tags, pixels, analytics calls, behavioral trackers, they all need to stop.

AppsFlyer’s JavaScript SDK has been compromised in an active supply chain attack. Websites loading the script are serving malicious code to their users without any changes to their own codebase.

For most of HIPAA’s history, PHI moved through known systems, between known parties, for known reasons. You provisioned access and audited behavior. The data flows remained observable, and so did the vendor relationships built around them. EHR vendors, billing platforms, and transcription services, you knew what each one touched because you handed it to them. Then the website became part of the care journey. With it came appointment schedulers, symptom checkers, patient portals, and intake forms.

In 2024, Recorded Future’s Fraud Intelligence Report found over 11,000 e-commerce domains actively running payment page skimmers, a nearly 300% increase from the year before. The majority of those merchants had no client-side monitoring in place.Most of them were processing payments through legitimate, PCI-certified processors. Some of them were almost certainly SAQ-A-EP merchants who believed their processor’s compliance covered their risk. It doesn’t.

CCPA used to audit your policies and paperwork. Then came the Sephora settlement, and things moved to logs, runtime, and network reports. The company’s privacy policy said it didn’t sell consumer data. California’s AG ran the site, watched the cookies and pixels fire, and found that in reality, they did. Healthline followed in 2025. Then Disney in 2026. Different companies, common findings. Data gets collected and shared with third parties via tags. GPC gets ignored.

Three million patients. That’s how many had their most sensitive health information silently siphoned from hospital systems and handed to a party that had no authorization to receive it. The year was 2022. And what would become one of the largest unauthorized disclosures of protected health information ever documented didn’t arrive through a ransomware attack, a stolen credential, or a nation-state intrusion. It came from a piece of marketing software doing exactly what it was designed to do.

If your organization serves patients in both the United States and the European Union, two regulators, HIPAA and GDPR, are already watching your website. Specifically, what happens in the seconds between a visitor landing on your page and your analytics stack doing its job. In March 2024, OCR mentioned that even unauthenticated website interactions, like a user browsing your oncology content or typing into a symptom checker, can constitute PHI if the visit is for health-related purposes.