Practice by Numbers, the developer of patient management software used in thousands of dental offices, has patched a security flaw that exposed patients’ private health records in a portal that comes with the software, according to TechCrunch.
A patient, Joseph R. Cox, reported the bug to TechCrunch after encountering the problem while looking at his own dental records on the portal, which was offered by his dental office.
This patient portal is part of a dental practice management software created by Practice by Numbers, which claims Its products are used in more than 5,000 dental practices in the United States.
Cox said the bug allowed any user of the portal, which hosts medical documents and patient health records, to access documents belonging to other patients. He said he was able to access other patients’ documents from his account, including their personal information, medical history, photo ID and other records. The bug also meant Cox’s records were equally exposed to other patients.
Cox said he tried to notify the company of the issue via email but did not receive a response. He then notified TechCrunch as a last resort to ask the company to fix the bug.
The bug was extremely easy to exploit by logging into Practice by Numbers’ patient portal. Cox said changing the document number in the web address when uploading one of his documents to the portal allowed users to access other patients’ records.
Worse, Cox said the document numbers on the web address appear to be sequentially incremented, so it could be possible to easily guess the document numbers of other people’s medical records.
Cox told TechCrunch that he had difficulty notifying Practice by Numbers about the issue because the company didn’t offer any distinct avenues to report security issues. The company’s email address on its website was broken, with emails being returned as undeliverable. Instead, Cox sent a message to one of the company’s founders on LinkedIn, but didn’t hear back after sending a follow-up email.
The problem, which has now been fixed, highlights a recent trend in which regular consumers find security flaws in companies’ products or websites, but have no clear way to report the problem to developers.
Earlier in April, fashion retailer Express fixed a website bug that allowed anyone to access other customers’ order details and personal information after a user spotted the error but found no way to notify the company. A similar incident involved Home Depot in December: A security researcher tried to privately notify the company about a security flaw that exposed access to its internal systems for nearly a year, but their reports were ignored until TechCrunch contacted the company.
Since the security flaw was actively putting patient data at risk, TechCrunch notified Practice by Numbers about the issue on April 13. The company took its patient portal down to fix the error and brought it back online on April 17.
Practice by Numbers co-founder and chief technology officer Chris Lau told TechCrunch that the company had patched the vulnerability and was notifying fewer than 10 patients that their information was exposed because of the bug, citing its server logs.
The company said it is working with the affected dental office to notify affected patients. Lau said the company had found no evidence of previous activity related to the bug, suggesting Cox was likely the first to find it.
Cox confirmed that the bug appears to have been fixed.
When asked by TechCrunch, neither Lau nor Practice from Number co-founder and president Rohit Garg would answer whether the company’s patient portal had undergone a security audit before its launch. Companies typically undergo security audits to ensure their products meet cybersecurity standards and are free of common security flaws before customers start using them.
While no software is ever completely bug-free, companies that handle sensitive information, such as healthcare data, typically seek third-party reviews of their code to eliminate any significant security flaws.
When asked if Practice by Numbers plans to update its website to allow security researchers to notify the company of security flaws, such as through a vulnerability disclosure program, Garg said the company plans to update its website to allow users to report security issues. The company did not offer a timeline.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
