Dental practice software maker fixes bug that exposed patients’ medical records
Source: TechCrunch
Security Flaw Overview
Practice by Numbers, the developer of a patient management software used in thousands of dental offices, has fixed a security flaw that exposed private health records on a bundled patient portal, TechCrunch has learned.
The portal is part of a dental office management suite made by Practice by Numbers, which claims its products are used in over 5,000 dental practices across the United States.
Discovery and Exploitation
One patient, Joseph R. Cox, reported the bug after encountering it while viewing his own dental records on the portal offered by his dentist’s office. Cox said the bug allowed any logged‑in user to access documents belonging to other patients by changing the document number in the web address. The document numbers appear to be sequentially incremental, making it easy to guess other patients’ file identifiers.
Cox attempted to alert the company via email but received no response. He then notified TechCrunch as a last resort, prompting the company to patch the issue.
Company Response
TechCrunch alerted Practice by Numbers to the issue on April 13. The company took down its patient portal, fixed the vulnerability, and brought the portal back online on April 17.
Practice by Numbers’ co‑founder and chief technology officer, Chris Lau, said the vulnerability had been resolved and that fewer than 10 patients were notified of exposure, based on server logs. The company is working with the affected dental practice to inform the impacted patients. Lau added that there was no evidence of prior exploitation, suggesting Cox was the first to discover the flaw.
When asked about a security audit of the portal prior to launch, neither Lau nor co‑founder and president Rohit Garg provided a definitive answer. Garg indicated that the company plans to update its website to allow security researchers to report vulnerabilities, though no timeline was given.
Industry Context
The incident highlights a broader trend of consumers uncovering security flaws in products or websites without clear reporting channels. Earlier in April, fashion retailer Express fixed a website bug that exposed customers’ personal data after a user could not find a way to alert the company. A similar case involved Home Depot in December, where a security researcher’s reports were ignored until TechCrunch intervened.