Practice by Numbers, a patient management software developer used in many dentist offices, has corrected a security flaw that exposed patient health records on a software portal, TechCrunch reports.
Joseph R. Cox, a patient, informed TechCrunch after discovering the issue while reviewing his own dental records on a portal provided by his dentist’s office.
This portal is part of management software by Practice by Numbers, which claims over 5,000 U.S. dental practices use its products.
Cox discovered the bug allowed users to view other patients’ documents, including personal information, medical histories, and photo IDs, from their accounts. Consequently, his records were also exposed.
He attempted to notify the company via email but received no response and thus contacted TechCrunch to ensure the bug was fixed.
The flaw could be easily exploited by altering the document number in the web address, as the document numbers were sequentially incremental, allowing easier guessing of file locations.
Cox struggled to report the issue due to missing communication channels and instead messaged a company founder on LinkedIn with no success.
With TechCrunch’s alert on April 13, Practice by Numbers took down its portal to fix the issue, relaunching it on April 17.
Chris Lau, the co-founder and CTO, confirmed the repair and noted that they were notifying fewer than 10 patients of potential data exposure, based on server logs. Lau claimed no prior activity related to the bug was evident.
Cox verified the issue was resolved.
Neither Lau nor co-founder Rohit Garg disclosed if the portal underwent a security audit pre-launch. Such audits are common to ensure cybersecurity standards are met and eliminate common security issues.
Asked about implementing a vulnerability disclosure program to report security flaws, Garg said they plan a website update for reporting such issues, without specifying when.