We scanned 3,000 healthcare repositories. Here's what we found in CDC, VA, NHS, and Google's code.

Healthcare software is failing compliance at the code level. Not in theory. Not in edge cases. Across the board. We built an AST-based static analysis engine that maps code patterns directly to HIPAA sections, GDPR articles, SOC 2 criteria, and India's DPDPA requirements. Then we pointed it at 3,000 public healthcare repositories across 9 programming languages. 13,427 confirmed violations. 43.6% of repositories affected. Here are five findings that stood out. 1. The VA suppressed a TLS security warning in its veteran SMS handler The US Department of Veterans Affairs notification-api handles SMS, email, and push notifications for 9+ million veterans. One Lambda function disables TLS certificate verification with verify=False . The code includes an explicit # nosec annotation — a Bandit security scanner suppression comment. The development team knew. They suppressed the warning anyway. All affected functions deploy to production via GitHub Actions across dev, staging, perf, and prod envi