Dental practice software maker fixes bug that exposed patients’ medical records

Practice by Numbers, the firm behind widely used patient management software in dental offices, has addressed a critical security vulnerability that exposed personal health records. This issue came to light after a patient, Joseph R. Cox, discovered the flaw while reviewing his dental records through a portal provided by his dentist. The patient portal, integral to the dental office management system offered by Practice by Numbers, is utilized in over 5,000 dental practices across the U.S. Cox reported that the bug allowed users to view medical documents of other patients, including sensitive information such as personal details and health histories. Alarmingly, his own records were also accessible to others. Cox attempted to contact Practice by Numbers to report the security issue but received no response. Frustrated, he reached out to TechCrunch to highlight the flaw, which was relatively simple to exploit. By merely altering the document number in the web address, any logged-in user could potentially access files belonging to different patients, as the document numbers appeared to follow a sequential pattern. The incident underscores a growing concern where consumers discover significant security flaws but lack straightforward channels for reporting them to companies. Similar situations have arisen recently; for instance, a customer found a vulnerability on the Express website that compromised order details, yet was unable to inform the retailer directly. In another case, a security researcher faced challenges alerting Home Depot about a prolonged security lapse. TechCrunch brought the vulnerability to the attention of Practice by Numbers on April 13. The company subsequently took down its patient portal for repairs and reinstated it on April 17. Chris Lau, co-founder and CTO of Practice by Numbers, confirmed the flaw is now fixed and stated that fewer than 10 patients were notified about the exposure of their data, based on server logs. The firm is collaborating with the affected dental practice to inform these patients. Lau indicated that there was no evidence of prior exploitation of the bug, suggesting Cox may have been the first to uncover it. When questioned about whether a security audit had been conducted on the patient portal before its launch, neither Lau nor co-founder and president Rohit Garg confirmed its occurrence. Although software cannot be entirely free of bugs, organizations dealing with sensitive data typically engage in rigorous third-party security audits before deployment. In response to this incident, Garg mentioned that the company intends to enhance its website to facilitate the reporting of security flaws in the future, although no specific timeline was provided.