## Security Violation **Severity:** CRITICAL **File:** `demo/backend/src/main/java/com/healthguard/ClaimController.java` **Lines:** 24-27 ## Description Direct string concatenation in SQL query allows SQL injection attacks that could expose or manipulate patient PHI. **Vulnerable Code:** ```java String sql = "SELECT p.patient_name, p.ssn, p.date_of_birth, " + "l.test_name, l.result_value, l.result_date " + "FROM patients p JOIN lab_results l ON p.id = l.patient_id " + "WHERE p.mrn = '" + patientMrn + "'"; ``` ## Regulations Violated - HIPAA § 164.308(a)(1)(ii)(D) - Information System Activity Review - HIPAA § 164.312(a)(1) - Access Control - GDPR Art. 32(1)(b) - Ability to ensure ongoing confidentiality ## Required Fix Use PreparedStatement with parameterized queries: ```java String sql = "SELECT p.patient_name, p.ssn, p.date_of_birth, " + "l.test_name, l.result_value, l.result_date " + "FROM patients p JOIN lab_results l ON p.id = l.patient_id " + "WHERE p.mrn = ?"; PreparedStatement pstmt = conn.prepareStatement(sql); pstmt.setString(1, patientMrn); ResultSet rs = pstmt.executeQuery(); ``` ## Impact SQL injection could allow attackers to: - Extract entire patient database - Modify or delete patient records - Bypass authentication and authorization controls - Execute arbitrary database commands