Read a report

The risk score and grade

The overall score is a 0–100 number where higher is better, mapped to an A–F letter grade in the style of SSL Labs or SecurityHeaders.com. The score is a weighted roll-up of six category scores — it is a relative measure of observable risk, not a pass/fail or a compliance determination.

The category breakdown

The score decomposes into six weighted categories. The weights reflect where PHI-exposure risk actually concentrates on a healthcare site — trackers on patient-facing pages carry the most weight. See Concepts → How scoring works for the exact table and math.

Findings and severity

Each finding has a severity — critical, high, medium, low, or info — a category, a stable code, a human-readable title and description, the evidence that triggered it (for example, the URL where a pixel was found), and a remediation recommendation. The same tracker is scored more severely on an intake_form or appointment page than on a general marketing page, mirroring the 2022–2023 OCR enforcement pattern.

Work top-down: critical and high findings on patient-facing pages first. Findings you’ve handled or judged inapplicable can be acknowledged, resolved, or marked a false positive in the console — see Guides → Triage findings.

The disclaimer is part of the data

Every report — in the UI and in the API payload — carries a structured disclaimer field. It is not boilerplate you can ignore; it is part of the data contract, stating that the scan covers only public pages and is not a compliance audit or legal determination. If you embed or re-share a report, keep the disclaimer with it.