Practice by Numbers has patched a security vulnerability in its patient portal that exposed private health records, after the issue was identified by a user and later reported to the company.
Bug Allowed Access To Other Patients’ Records
The flaw was discovered by Joseph R. Cox, a patient using the portal to view his own dental records. The portal, bundled with Practice by Numbers’ software used in more than 5,000 dental practices across the United States, stores medical documents and personal data.
Cox found that users could access other patients’ files by modifying a document number in the web address. He said the identifiers appeared sequential, making it possible to guess and retrieve additional records. Through this method, he accessed files containing personal information, medical histories, and photo identification. His own records were also exposed in the same way.
Initial Attempts To Report Issue Went Unanswered
Cox said he attempted to alert the company via email but received no response. He reported that the company’s listed email address returned messages as undeliverable. He later contacted a company founder through LinkedIn but did not receive follow-up communication after sending additional details.
With no response, Cox contacted TechCrunch to raise awareness of the issue and prompt action.
Company Fixes Issue After Notification
TechCrunch notified Practice by Numbers of the vulnerability on April 13. The company temporarily disabled the patient portal to address the issue and restored access on April 17 after implementing a fix.
Co-founder and chief technology officer Chris Lau said fewer than 10 patients were affected, based on server logs. The company is working with the impacted dental practice to notify those individuals. Lau said there was no evidence of earlier exploitation and indicated Cox was likely the first to identify the flaw.
Cox confirmed that the vulnerability appears to have been resolved.
Lack Of Disclosure Channels Highlights Reporting Challenges
The incident reflects a broader issue where users and researchers encounter difficulties reporting security flaws. Cox said the company did not provide a clear channel for vulnerability disclosure.
Similar cases have emerged in recent months. Fashion retailer Express addressed a website flaw in April after a user found a way to access other customers’ order details without a clear reporting mechanism. In December, a security researcher reported exposure of internal systems at Home Depot, but the issue was not addressed until after external contact prompted action.
Questions Remain On Security Practices And Future Reporting
When asked whether the patient portal had undergone a security audit before launch, neither co-founder and president Rohit Garg nor Lau provided confirmation. Security audits are commonly used to identify vulnerabilities before deployment, particularly for systems handling sensitive health data.
Garg said the company plans to update its website to allow users and researchers to report security issues, including the potential introduction of a vulnerability disclosure program, but did not provide a timeline.
Featured image credits: Family Dental Care
For more stories like it, click the +Follow button at the top of this page to follow us.