AI & TechBusinessCybersecurityNewswireTechnology

Dental Software Patch Secures Exposed Patient Records

▼ Summary

– A security flaw in Practice by Numbers’ patient portal allowed users to access other patients’ medical records by changing a document number in the web address.
– The bug was discovered by patient Joseph R. Cox, who could not alert the company due to a broken email address and unresponsive LinkedIn messages.
– TechCrunch notified Practice by Numbers on April 13, prompting the company to take the portal offline and fix the bug by April 17.
– The company notified fewer than 10 patients of data exposure and found no evidence of prior exploitation, suggesting Cox was the first to discover the flaw.
– Practice by Numbers plans to update its website to allow security issue reporting but did not provide a timeline, and it would not confirm if the portal had a security audit before launch.

A security vulnerability in a widely used dental patient management platform has been resolved after exposing sensitive health records through a bundled patient portal. The flaw, discovered by a patient, allowed unauthorized access to medical documents belonging to other individuals.

The patient, Joseph R. Cox, found the bug while reviewing his own dental records through a portal provided by his dentist’s office. This portal is a component of the software developed by Practice by Numbers, a company that states its products are utilized by more than 5,000 dental practices across the United States.

Cox reported that the security gap permitted any portal user to view documents from other patients. By simply altering the document number in the web address while loading his own files, he could access personal information, medical histories, photo identification, and other records belonging to different patients. This meant his own data was equally vulnerable to exposure.

After attempting to notify Practice by Numbers via email without receiving a response, Cox reached out to TechCrunch as a final measure to encourage the company to address the problem. The exploit was straightforward: document numbers in the web addresses appeared to be sequentially incremental, making it easy to guess other patients’ file identifiers.

Cox faced significant challenges in reporting the issue. The company’s website lacked a clear channel for security concerns, and its listed email address was non-functional, returning messages as undeliverable. He then contacted one of the company’s founders on LinkedIn but received no reply after a follow-up email.

This incident underscores a growing trend where ordinary consumers identify security flaws in corporate products but have no effective method to report them. Similar situations occurred earlier in April with fashion retailer Express, where a website bug exposed customer order details, and in December with Home Depot, where a researcher’s alerts about a system exposure were ignored until media involvement.

Given the immediate risk to patient data, TechCrunch informed Practice by Numbers of the issue on April 13. The company promptly took its patient portal offline, fixed the vulnerability, and restored it on April 17.

Chris Lau, co-founder and chief technology officer at Practice by Numbers, confirmed the fix and stated that fewer than 10 patients were notified about potential data exposure, based on server logs. The company is collaborating with the affected dental practice to inform those individuals. Lau noted no evidence of prior exploitation, suggesting Cox was likely the first to discover the bug.

Cox verified that the vulnerability is no longer present.

When questioned, neither Lau nor co-founder and president Rohit Garg would confirm whether the patient portal had undergone a security audit before its launch. Such audits are standard practice for companies handling sensitive healthcare data, as they help identify common vulnerabilities before deployment.

Regarding future improvements, Garg indicated that Practice by Numbers plans to update its website to enable users to report security issues, potentially through a vulnerability disclosure program. However, no timeline for this change was provided.

(Source: TechCrunch)

Topics

security vulnerability 98% patient data exposure 95% bug reporting challenges 92% healthcare software security 90% vulnerability disclosure 88% patient portal flaw 85% company response 82% sequential document ids 80% consumer as security researcher 78% third-party security audits 75%