ValidantLab readiness artifact
Executive summary
Northstar Patient Portal begins at 62/100 readiness. The critical finding: The storage read policy on the patient-documents bucket allows reads without proving the requester is the patient, so uploaded clinical files holding personal data are reachable across tenants. A clinical PDF, insurance card, or MRN uploaded by one patient can be read by an unauthenticated request or a different patient. Under GDPR this is an unauthorised disclosure of special-category personal data and a personal data breach reportable under Art.33-34. Evidence support improves after approval of the recommended fix, while human review remains required for final use.
Scope
northstar-health/patient-portal on main. Repository signals, Next.js + Supabase posture, deployment context, identity claims, and generated remediation evidence for the flagged flow.
Critical finding
Patient documents are readable across tenants (personal data exposure). Patient files land in a bucket whose read policy does not prove the reader is the patient who owns the object. The select policy keys on bucket id alone and is not scoped to an authenticated role, so signed and direct reads resolve for any caller. Evidence support cannot show that access to personal data is limited to the right patient context, and there is no access record to confirm prior reads did not occur.
Remediation
Replace the public read policy with a patient-scoped policy that requires an authenticated role and matches the object folder to the patient_id claim in auth.jwt(). Confirm a signed Data Processing Agreement covers the storage subprocessor. Fixes require approval and human review required before approval. Fixes require approval before evidence is marked generated.
Current state
Evidence table
| Artifact | Status | Reviewer note |
|---|---|---|
| No tenant isolation test attached to the storage policy evidence. | Missing or partial | Derived from approved demo flow state. |
| No encryption-in-transit check recorded for the patient-documents endpoint. | Missing or partial | Derived from approved demo flow state. |
| Human review record is missing for the generated policy change. | Human review required | Reviewer must confirm final control language. |
| Signed Data Processing Agreement for the storage subprocessor is not on file. | Missing or partial | Derived from approved demo flow state. |
Residual risk
After the approved policy fix, residual risk is Low. Access logs predating the fix cannot confirm whether cross-tenant reads occurred, and the storage subprocessor Data Processing Agreement is still pending signature. Both items require human review before the finding is closed.
Reviewer sign-off
Accountable reviewer
Maya Chen
Role
Security Program Lead
Decision
Pending review
Sign-off records the accountable reviewer for this readiness artifact. Fixes require approval, and final readiness decisions still require human review.
This artifact can support readiness review, but control ownership, implementation safety, and final wording still require accountable human review.
This is a demo readiness artifact, not a compliance certification or legal opinion.