Practice by Numbers, the developer of patient management software used by thousands of dental practices, has fixed a security flaw that exposed patients' personal health records on a portal bundled with the software, TechCrunch has learned.
One patient, Joseph R. Cox, reported the bug to TechCrunch after encountering an issue while viewing his dental records in the portal provided by his dental office.
The patient portal is part of dental practice management software created by Practice by Numbers, which claims its products are used in more than 5,000 dental practices across the United States.
Cox said the bug allowed anyone using the portal where a patient's medical documents and health records were stored to access other patients' documents. He said his account had access to other patients' documents, including their personal information, medical histories, photo IDs and other files. The bug meant Cox's records were exposed to other patients as well.
Cox said he tried to alert the company about the issue via email, but received no response. He then notified TechCrunch as a last resort and asked the company to patch the bug.
This bug was surprisingly easy to exploit by anyone logged into the Practice by Numbers patient portal. Cox said that by changing the document number in the web address when loading one of his documents into the portal, users were able to access other patients' files.
To make matters worse, Cox said it could be easy to guess document numbers in other people's medical files because the document numbers in the web address appear to be sequentially increasing.
Cox told TechCrunch that he encountered difficulty alerting Practice by Numbers to the issue because the company did not provide a clear means for reporting security issues. The email address on the company's website was broken and the email was bounced as undeliverable. Instead, Cox sent a message to one of the company's founders on LinkedIn, but then sent an email and got no response.
The issue, which has now been fixed, highlights a recent trend in which consumers find security flaws in companies' products and websites but have no clear way to report them to developers.
In early April, fashion retailer Express fixed a bug on its website that allowed anyone to access order details and other customers' personal information after a user identified the bug, but couldn't find a way to alert the company. A similar incident involved Home Depot in December. A security researcher privately tried to alert the company about a security flaw that had exposed access to internal systems for almost a year, but the report was ignored until TechCrunch contacted the company.
Given that this security flaw is actively putting patient data at risk, TechCrunch alerted Practice by Numbers to this issue on April 13th. The company shut down its patient portal to fix the bug and brought it back online on April 17th.
Chris Lau, co-founder and chief technology officer of Practice by Numbers, told TechCrunch, citing server logs, that the company has fixed the vulnerability and has notified fewer than 10 patients that the bug exposed their information.
The company said it is working with affected dental clinics to notify affected patients. Lau said the company had not identified any evidence of previous activity related to the bug, suggesting that Cox likely discovered the bug first.
Cox confirmed that the bug appears to have been fixed.
In response to questions from TechCrunch, neither Rau nor Rohit Garg, co-founder and president of Practice by Number, would say whether the company's patient portal had undergone a security audit before launch. Companies typically undergo security audits to ensure that their products meet cybersecurity standards and are free of common security flaws before customers start using them.
While no software is completely bug-free, companies that handle sensitive information such as medical data typically require third-party reviews of their code to eliminate critical security flaws.
Asked if Practice by Numbers plans to update its website to allow security researchers to notify the company of security flaws, such as through a vulnerability disclosure program, Garg said the company plans to update its website to allow people to report security issues. The company did not provide a schedule.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.