Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Practice by Numbers, developer of patient management software used in thousands of dentists’ offices, has fixed a security flaw that exposed patients’ private health records on a portal that comes bundled with the software, TechCrunch has learned.
One patient, Joseph R. Cox, reported the flaw to TechCrunch after he encountered the issue while looking at his dental records on the online portal, which was provided by his dentist’s office.
This patient portal is part of dental practice management software developed by Practice by Numbers, which Claims Its products are used in more than 5,000 dental practices across the United States.
Cox said the flaw allowed any user of the portal, which includes patients’ medical documents and health records, to access documents belonging to other patients. He said he was able to access other patients’ documents from his account, including their personal information, medical histories, ID photos and other files. This error also meant that Cox’s records were completely vulnerable to other patients.
Cox said he tried to alert the company about the problem via email, but received no response. He then reported it to TechCrunch as a last resort to ask the company to correct the error.
This bug would have been very easy for anyone with a login to the Practice by Numbers app to exploit. Patient portal. Changing the document number in the web address while uploading one of his documents into the portal allows users to access other patients’ files, Cox said.
Worse still, Cox said the document numbers in the web address appear to be sequentially incremental, so it may be possible to easily guess the document numbers for other people’s medical files.
Cox told TechCrunch that he had difficulties alerting Practice by Numbers to the issue, as the company did not provide any clear way to report security issues. The company’s email address on its website was broken, and emails were returned as undeliverable. Instead, Cox sent a message to one of the company’s founders on LinkedIn, but received no response after a subsequent email.
The issue, which has now been fixed, highlights a recent trend in which ordinary consumers find security flaws in companies’ products or websites, but have no clear way to report the issue to developers.
Earlier in April, Fashion retailer Express has fixed a website error Which allowed anyone to access order details and personal information of other customers, after the user identified the error, but did not find a way to alert the company. A similar incident occurred with Home Depot in December: A security researcher attempted to alert the company privately about a security vulnerability Exposing access to its internal systems for nearly a yearBut their reports were ignored until TechCrunch contacted the company.
Because the security flaw was putting patient data at risk, TechCrunch alerted Practice by Numbers to the issue on April 13. The company removed its patient portal to fix the bug, bringing it back online on April 17.
Chris Lau, Numbers co-founder and chief technology officer, told TechCrunch that the company has fixed the vulnerability, and that it has notified fewer than 10 patients that their information had been exposed because of the bug, citing its server logs.
The company said it is working with the affected dental clinic to notify affected patients. Lau said the company did not identify evidence of previous activity related to the flaw, suggesting that Cox was likely the first to discover it.
Cox confirmed that the bug appears to have been fixed.
When asked by TechCrunch, neither Lau nor Number co-founder and president Rohit Garg said whether the company’s patient portal had undergone a security audit before its launch. Companies typically undergo security audits to ensure that their products meet cybersecurity standards and are free of common security flaws before customers start using them.
Although no software is ever completely bug-free, companies that handle sensitive information, such as healthcare data, typically seek third-party reviews of their code to eliminate any major security flaws.
When asked if Practice by Numbers plans to update its website to allow security researchers to notify the company of security flaws, such as a vulnerability disclosure program, Garg said the company plans to update its website to allow people to report security issues. The company did not provide a timetable.
When you make a purchase through the links in our articles, We may earn a small commission. This does not affect our editorial independence.