Alieksandr Kuznietsov
unread,Jun 30, 2026, 4:49:10 AM (2 days ago) Jun 30Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dcm4che
### Summary
We found a race condition where dcm4chee-arc allowed two Patient records to be created with the same patient identifiers: the same Patient ID and the same Issuer of Patient ID.
After that, further MWL creation for this patient fails with:
```text
409 Conflict
Non Unique Patients found for patient identifiers in request payload
```
The practical impact is serious: the patient becomes unusable for further MWL workflows. In our environment we also could not safely merge or delete only one of the duplicated patient records from the archive.
### Environment
- Product: dcm4chee-arc / dcm4chee-arc-light
- Version: [please fill in exact version]
- Database: [please fill in, e.g. PostgreSQL]
- Deployment: [please fill in, e.g. Docker/WildFly]
- API used: DICOMweb REST patient creation + MWL creation
### How we discovered it
This was found during an integration test between our RIS and an external HIS/MIS.
A patient later started failing on MWL creation with:
```text
409 Conflict
Non Unique Patients found for patient identifiers in request payload
```
We inspected our application logs and found that the duplicate was created earlier, when two requests for the same new patient arrived almost simultaneously.
Timeline from our logs:
```text
2026-06-23 11:58:27.051 - Patient/MWL request #1 received
2026-06-23 11:58:27.055 - Patient/MWL request #2 received
Both requests used:
Patient ID: 0c1ce1ec-d834-4efa-baf4-b781e9599a7d
Issuer of Patient ID: XRAYPORTAL
Both requests performed patient lookup and received "patient not found".
Both requests then created a patient record.
2026-06-23 11:58:29.881 - patient created, name in Cyrillic
2026-06-23 11:58:30.063 - patient created again, same Patient ID / Issuer, name transliterated
```
After that, any attempt to create MWL for this patient failed because the archive reported non-unique patients.
The different patient names are not the main problem. One branch used a transliterated name because one modality does not support Cyrillic. The key problem is that two records with the same Patient ID and Issuer were persisted.
### Expected behavior
The archive should guarantee uniqueness of a patient by the patient identifiers, at least by:
- Patient ID `(0010,0020)`
- Issuer of Patient ID `(0010,0021)` / assigning authority
If two concurrent requests try to create the same patient, the archive should do one of the following atomically:
1. create exactly one patient and make the other request reuse/update the same patient, or
2. reject one request with a deterministic conflict/duplicate response before persisting a second patient.
It should never persist two active Patient records with the same Patient ID and Issuer.
### Actual behavior
Under concurrent create requests, dcm4chee-arc persisted two Patient records with the same Patient ID and Issuer.
Later MWL creation fails with:
```text
409 Conflict
Non Unique Patients found for patient identifiers in request payload
```
This leaves the patient in a broken state for downstream workflows.
### Suggested reproduction
1. Ensure that a patient does not exist in the archive.
2. Prepare two patient creation requests with the same identifiers:
```text
Patient ID: RACE-TEST-001
Issuer of Patient ID: TESTISSUER
```
Use different Patient Names if needed to make the duplicate visible, for example:
```text
Request A: Patient Name = Test^Race
Request B: Patient Name = Test^RaceTransliterated
```
3. Send both create requests concurrently to the archive patient creation endpoint, with minimal delay between them.
Example pseudo-code:
```bash
# terminal/process 1
curl -X POST http://<host>:<port>/dcm4chee-arc/aets/<AET>/rs/patients \
-H "Content-Type: application/dicom+json" \
--data @patient-a.json
# terminal/process 2, started at the same time
curl -X POST http://<host>:<port>/dcm4chee-arc/aets/<AET>/rs/patients \
-H "Content-Type: application/dicom+json" \
--data @patient-b.json
```
Where both JSON bodies contain the same Patient ID and Issuer.
4. Query the patient by Patient ID / Issuer.
Expected: one patient record.
Observed in our case: two patient records with the same identifiers.
5. Try to create an MWL item referencing that patient.
Observed result:
```text
409 Conflict
Non Unique Patients found for patient identifiers in request payload
```
### Impact
This is not only a duplicate display issue. Once the duplicate exists, MWL creation for the patient fails, and the integration workflow is blocked. In our test environment this affected a real HIS/RIS integration scenario.
### Notes
We have added application-level locking on our side to avoid triggering this race again. However, we believe the archive should still enforce uniqueness atomically at the storage/database level, because concurrent clients or integrations can otherwise corrupt the patient state.