Orem, Utah — June 22, 2026
Utah's Chief Privacy Officer, Christopher Bramwell, spent the night before final pitches at Utah Valley University's HITLAB Healthcare Innovation World Cup and Hackathon mentoring teams chasing two bounties he'd put forward: one on state-endorsed digital identity and AI agents, another on AI-driven data governance. A few feet from where he worked the floor, brothers Aaron and Jac Madsen were building toward the same identity bounty with their startup, Portobello Health.
Their team also included Katie Grow, Vin Jones, and Grace Totten, who Aaron Madsen described as possessing "deeper-than-normal understanding of what happens in healthcare and with PII in general and has a lot of interesting insights for our team."
Competing under the name The American Form of Digital Identity Control and AI Agent Power to the People, they were building a privacy-preserving record-locating tool for healthcare, centered on AI agents that could act on a patient's behalf.

A National Network, and a New Kind of Target
The problem they were chasing is bigger than one hackathon: a new national network of Qualified Health Information Networks, or QHINs, built to let healthcare systems look up patient records nationwide, with every lookup logged across the whole network.
"The result of this is that every single query that comes into this national network of networks is going to get forwarded to all of the qualified health information networks and end up in their audit logs," Aaron Madsen said, "which means the audit logs of each QHIN will contain all of the PII (personally identifiable information) of every single American. Madsen said those audit logs then become a very interesting target for a hacker... If you're looking for it on the black market, you can sell it for quite a bit of money if you are sufficiently morally compromised."

Madsen's characterization of the risk — a growing web of audit logs, each retaining personally identifiable query data — reflects real architecture, though the scale of any single QHIN's exposure would depend on how many queries route through it.
"Having an AI agent that can monitor my medical records, where they are and what's in them, so that I can call up my doctor and say, 'Hey, why did you say this?'... That's a powerful thing, to have an agent sitting there, watching and notifying me," Madsen said. "It's like doing digital identity protection on your behalf, 24/7, and I control it. I'm not just paying some company to do this on my behalf, hoping they do a decent job and don't just take out an insurance policy on my behalf instead."
Their own pitch materials cited Bramwell by name as a driving force behind the framework they were building on, and Jac Madsen described the same control problem Bramwell had, in nearly identical terms, without prompting.
"The critical word for it is control. Companies control an OpenID Connect credential, an OAuth2 credential," Jac Madsen said. "State-endorsed digital identity says the citizen controls that. The individual controls their own identity."
No Bounty, No Regrets
Their team did not win a bounty. By Bramwell's own account of what he was actually looking for, that may say less than it sounds like.
"Our main focus is not so much on the tech, but can they help to explain the story about how agents fit into SEDI," Bramwell said, warning that centralized identity models for AI agents "could end up with, you know, really bad outcomes."
Teammate Vin Jones, a BYU master's student, arrived at almost the same realization on his own.
"This is my first official hackathon... I thought I'd be doing a lot more of the actual coding," Jones said. "Instead, we need a technical understanding and bring it to a non-technical-friendly conversation."
Jac Madsen's reaction was just as striking: "I have learned more about digital identity and the progress that Utah has made in the past 24 hours than I have in the last two years of working in this space."
None of it seemed to discourage them. Aaron Madsen was careful not to take much personal credit.
"I don't want to take too much credit for this. Like, a lot of this that I've been describing to you is stuff that's been being developed by the industry," Aaron Madsen said. "This is something I'm continuing to work on. This is something I'm very interested in engaging with Portobello Health, Jac, and our company."

The project predates the hackathon, and so does the motivation behind it.
"We started trying to just build a digital fire safe and the ability to manage your own health records, and then we got into what are the current protocols for doing that," Aaron Madsen said. Still audibly caught off guard by what he'd found, he put it simply: "As a guy with a background in data security, I kind of went, what? Jake and I personally got motivated to get into this because of personal experiences we've had with the healthcare industry... We got very interested in healthcare about ten years ago for personal reasons."
Madsen had already gotten what he came for before the judging even started.
"The event has been for me personally... the event's already been a marvelous success," he said. "We don't anticipate that we'll work alone and solve everything for everybody, but we want to be part of the group that helps make it better for everybody and continues to iterate on that."
Teammate Katie Grow described the hackathon in similar terms.
"It has been a delicious experience, really terrific people who have been very freely sharing their knowledge and allowing me to participate in a process that's going to make the world a better place, and that has been a delight," Grow said.
By the time Bramwell left the hackathon floor at 9:30 that night, the Madsen brothers were still coding. They didn't need a bounty to know they'd be back.

TechBuzz will continue following the progress of hackathon teams and the run-up to the next HITLAB-UVU Hackathon/Pitch Competition scheduled for mid-November 2026. See previous TechBuzz coverage of this event.