April 28, 2026
Diagnosis: code blue
AI uncovers 38 vulnerabilities in largest open source medical record software
Doctors’ software got hit with 38 security holes — and commenters say nobody should be shocked
TLDR: An AI tool found 38 security problems in a hugely used open-source medical records system, including flaws that could expose patient data. Commenters weren’t stunned — many said the bigger story is that healthcare software is often this messy, and closed-source rivals may be no better.
A giant piece of medical records software used by more than 100,000 providers and tied to 200 million patients just had 38 security flaws uncovered by an AI security tool — and the internet’s reaction was basically: wait, only 38? The company behind the scan framed it as a big win for AI-powered bug hunting, saying the tool found more issues in a few months than a famous human-led audit did in 2018. But in the comments, the applause quickly turned into a full-blown reality check.
One camp said this is less a miracle of artificial intelligence and more a brutal reminder that healthcare software is often held together with duct tape and hope. Simon Willison called the bugs “low-hanging fruit,” while another commenter flatly said this is “completely normal and expected” and that people need a “reality check” if they think other software is much better. Ouch. Others went even harder, arguing the real scary part is that closed-source medical software might be just as bad — we just can’t see inside to prove it.
And then came the vintage-code drama. One commenter dug up an old post from a former maintainer who reportedly said parts of the system were so bad they were basically irredeemable, with ancient code from the PHP 3 era apparently still haunting the project like a ghost in the hospital basement. The result? Less “AI saves medicine” and more “everyone is arguing over how alarmed we should be that patient data lives in software commenters describe like a cursed antique.”
Key Points
- •AISLE researchers reported 38 CVEs in OpenEMR during Q1 2026 using the AISLE AI analyzer.
- •The article says OpenEMR is used by more than 100,000 medical providers serving over 200 million patients in 34 languages.
- •OpenEMR 8.0, released in February 2026, is described as ONC-certified under the U.S. federal Health IT certification program, including full Privacy and Security criteria.
- •The reported vulnerabilities included severe SQL injection flaws that could lead to database compromise, PHI exfiltration, and potentially remote code execution.
- •Two highlighted issues were CVE-2026-24908 in the Patient REST API `_sort` parameter and CVE-2026-23627 in the Immunization search/report `patient_id` parameter.