Dear NextGen Healthcare / Mirth Connect Team,
I am reporting confirmed HIPAA compliance violations identified in the Mirth Connect codebase through static analysis and manual code review.
Note: I was unable to find a dedicated security contact for Mirth Connect. Please direct me to the appropriate channel if preferred.
Reporter: Satish Singh, CEO, SecureHealth AI (satish@securehealth-ai.com)
Date: March 23, 2026
Finding 1: XXE Vulnerabilities
Files: X12Vocabulary.java (line 74), XsltStep.java
Severity: Critical
Description: JAXB createUnmarshaller() and unmarshal() used without XXE protections to parse X12 healthcare transaction XML files. XsltStep.java generates JavaScript code that calls TransformerFactory.newInstance() without XXE protections for user-supplied XSLT templates.
HIPAA: 45 CFR 164.312(c)(1) Integrity Controls
Finding 2: Weak Cryptography in DICOM Connectors
Files: DICOMListener.java, DICOMSender.java, MirthSSLUtil.java
Severity: Critical
Description: 3DES cipher suites (NIST-deprecated 2023) and SSLv2/SSLv3 protocol options offered for DICOM connections. MirthSSLUtil.java includes SSLv2Hello in default server protocols.
HIPAA: 45 CFR 164.312(a)(2)(iv) Encryption and Decryption; 45 CFR 164.312(e)(1) Transmission Security
Finding 3: Weak Password Policy
Files: PasswordRequirementsChecker.java, CommandLineInterface.java
Severity: High
Description: All password requirements (minLength, minLower, minUpper, minNumeric, minSpecial) default to 0. CLI enforces minimum password length of only 4 characters.
HIPAA: 45 CFR 164.308(a)(5)(ii)(D) Password Management
These findings are part of the Healthcare Code Compliance Security Index (2026 Edition), analyzing 3,000+ public healthcare repositories. Mirth Connect is named in the report. We intend to publish in the coming days.
Regards,
Satish Singh
CEO, SecureHealth AI
satish@securehealth-ai.com
Dear NextGen Healthcare / Mirth Connect Team,
I am reporting confirmed HIPAA compliance violations identified in the Mirth Connect codebase through static analysis and manual code review.
Note: I was unable to find a dedicated security contact for Mirth Connect. Please direct me to the appropriate channel if preferred.
Reporter: Satish Singh, CEO, SecureHealth AI (satish@securehealth-ai.com)
Date: March 23, 2026
Finding 1: XXE Vulnerabilities
Files: X12Vocabulary.java (line 74), XsltStep.java
Severity: Critical
Description: JAXB createUnmarshaller() and unmarshal() used without XXE protections to parse X12 healthcare transaction XML files. XsltStep.java generates JavaScript code that calls TransformerFactory.newInstance() without XXE protections for user-supplied XSLT templates.
HIPAA: 45 CFR 164.312(c)(1) Integrity Controls
Finding 2: Weak Cryptography in DICOM Connectors
Files: DICOMListener.java, DICOMSender.java, MirthSSLUtil.java
Severity: Critical
Description: 3DES cipher suites (NIST-deprecated 2023) and SSLv2/SSLv3 protocol options offered for DICOM connections. MirthSSLUtil.java includes SSLv2Hello in default server protocols.
HIPAA: 45 CFR 164.312(a)(2)(iv) Encryption and Decryption; 45 CFR 164.312(e)(1) Transmission Security
Finding 3: Weak Password Policy
Files: PasswordRequirementsChecker.java, CommandLineInterface.java
Severity: High
Description: All password requirements (minLength, minLower, minUpper, minNumeric, minSpecial) default to 0. CLI enforces minimum password length of only 4 characters.
HIPAA: 45 CFR 164.308(a)(5)(ii)(D) Password Management
These findings are part of the Healthcare Code Compliance Security Index (2026 Edition), analyzing 3,000+ public healthcare repositories. Mirth Connect is named in the report. We intend to publish in the coming days.
Regards,
Satish Singh
CEO, SecureHealth AI
satish@securehealth-ai.com