Compliance Vulnerability Disclosure: PHI Export, Weak Auth, and SQL Injection in LibreHealth EHR #1701
Description
Dear LibreHealth Team,
I am reporting confirmed HIPAA compliance violations identified in the LibreHealth EHR codebase through static analysis and manual code review.
Reporter: Satish Singh, CEO, SecureHealth AI (satish@securehealth-ai.com)
Date: March 23, 2026
Finding 1: Unencrypted PHI Export
Files: BillingExport.csv.php, C_Document.class.php
Severity: Critical
Description: Patient data including patient_id written to plaintext files via fopen/fwrite without encryption.
HIPAA: 45 CFR 164.312(a)(2)(iv) Encryption and Decryption
Finding 2: Weak Authentication
Files: login_operations.php, oemr_password_hash, ESign verification, secure_chat
Severity: High
Description: MD5 and SHA1 used for password validation, document integrity verification, and secure chat hashing. These are directly in authentication and integrity verification pathways.
HIPAA: 45 CFR 164.312(d) Person or Entity Authentication
Finding 3: SQL Injection
Files: code_types.inc.php, MIPS/PQRSEncounter.php
Severity: Critical
Description: SQL queries constructed via string concatenation. Patient portal controllers access PHI without visible authorization checks.
HIPAA: 45 CFR 164.312(a)(1) Access Control
These findings are part of the Healthcare Code Compliance Security Index (2026 Edition), analyzing 3,000+ public healthcare repositories. LibreHealth EHR is named in the report. We intend to publish in the coming days.
Regards,
Satish Singh
CEO, SecureHealth AI
satish@securehealth-ai.com