Practice by Numbers, the developer of a patient management software used in thousands of dentists’ offices, has fixed a security flaw that exposed the private health records of patients on a portal that comes bundled with the software, TechCrunch has learned.
One patient, Joseph R. Cox, reported the bug to TechCrunch after he encountered the issue while looking at his own dental records on the portal, which was offered by his dentist’s office.
This patient portal is part of a dental office management software made by Practice by Numbers, which claims its products are used in over 5,000 dental practices across the United States.
Cox said the bug allowed any user of the portal, which houses patients’ medical documents and health records, to access documents belonging to other patients. He said he was able to access other patients’ documents from his account, including their personal information, medical histories, photo identification, and other files. The bug also meant that Cox’s records were just as exposed to other patients.
Cox said he attempted to alert the company about the issue via email, but did not hear back. He then notified TechCrunch as a last resort to ask the company to patch the bug.
The bug was remarkably easy to exploit by anyone with a login to the Practice by Numbers’ patient portal. Cox said changing the document number in the web address while loading one of his documents in the portal allowed users to access other patients’ files.
Worse, Cox said the document numbers in the web address appear to be sequentially incremental, so it could be possible to easily guess the document numbers of other people’s medical files.
Cox told TechCrunch that he faced difficulties in alerting Practice by Numbers to the issue, as the company offered no discernible avenue to report security problems. The company’s email address on its website was broken, with emails returned as undeliverable. Instead, Cox sent a message to one of the company’s founders on LinkedIn, but heard nothing back after sending a subsequent email.
The issue, now fixed, highlights a recent trend in which regular consumers are finding security flaws in companies’ products or websites, but have no clear way to report the issue to the developers.
Earlier in April, fashion retailer Express fixed a website bug that allowed anyone to access the order details and personal information of other customers, after a user identified the bug, but found no way to alert the company. A similar incident involved Home Depot in December: A security researcher tried to privately alert the company about a security lapse that was exposing access to its internal systems for almost a year, but their reports were ignored until TechCrunch contacted the company.
Given the security flaw was actively putting patients’ data at risk, TechCrunch alerted Practice by Numbers to the issue on April 13. The company took down its patient portal to fix the bug, and brought it back online on April 17.
Practice by Numbers’ co-founder and chief technology officer, Chris Lau, told TechCrunch that the company had fixed the vulnerability, and it was notifying fewer than 10 patients that their information was exposed due to the bug, citing its server logs.
The company said it was working with the affected dental practice to notify the affected patients. Lau said that the company had not identified evidence of previous activity related to the bug, suggesting Cox was likely the first to find it.
Cox confirmed that the bug appears to have been fixed.
When asked by TechCrunch, neither Lau nor Practice by Number’s co-founder and president, Rohit Garg, would say if the company’s patient portal had undergone a security audit before it was launched. Companies commonly undergo security audits to ensure their products meet cybersecurity standards, and are free from common security flaws before customers begin using them.
While no software is ever completely bug-free, companies that handle sensitive information, like healthcare data, typically seek third-party reviews of their code to weed out any major security flaws.
When asked if Practice by Numbers plans to update its website to allow security researchers to notify the company of security flaws, such as through a vulnerability disclosure program, Garg said the company plans to update its website to let people report security issues. The company did not offer a timeline.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.