Practice by Numbers fixes security bug that exposed dental patients’ private records

A security flaw in dental practice software from Practice by Numbers has been patched after it allowed patients to view each other’s medical documents. The bug, which affected a patient portal used by thousands of dental offices, raised serious concerns about health data protection.

The issue came to light when patient Joseph R. Cox discovered he could access other people’s files while reviewing his own dental records. He reported the problem to TechCrunch after struggling to alert the company directly.

How the dental practice software bug worked

Cox found that changing a document number in the web address bar let him load files belonging to other patients. Because the numbers appeared to be sequential, guessing other document IDs was straightforward. This meant anyone with a login could potentially view personal information, medical histories, and even photo IDs of other patients.

The vulnerable portal is part of a broader system used in over 5,000 dental practices across the United States. Practice by Numbers develops this patient management software, which handles sensitive health records.

No clear way to report the vulnerability

Cox attempted to contact Practice by Numbers through email but received no response. The company’s website had a broken email address, causing messages to bounce back. He also tried reaching out via LinkedIn to one of the founders, but again heard nothing.

This situation reflects a growing problem: consumers who discover security flaws often have no straightforward method to report them. Similar incidents have occurred with other companies, including fashion retailer Express and Home Depot, where bugs went unreported because users couldn’t find the right contact.

Company response and fix

After TechCrunch alerted Practice by Numbers on April 13, the company took down its patient portal to address the flaw. It was restored on April 17, with the bug now resolved.

Chris Lau, co-founder and CTO, confirmed the fix and said fewer than ten patients had their information exposed. The company is working with the affected dental practice to notify those individuals. Lau added that server logs showed no evidence of previous exploitation, suggesting Cox was likely the first to discover the issue.

However, when asked whether the portal had undergone a security audit before launch, neither Lau nor co-founder Rohit Garg would confirm. Security audits are standard practice for software handling healthcare data, as they help catch common vulnerabilities early.

Lessons for healthcare software security

This incident highlights the importance of robust testing for any system that manages medical records. While no software is perfect, companies dealing with sensitive patient data have a responsibility to seek third-party reviews and establish clear reporting channels.

Garg indicated that Practice by Numbers plans to update its website to allow security researchers to report flaws, though no timeline was provided. For now, the immediate threat has been neutralised, but the case serves as a reminder that even widely used dental practice software can harbour serious weaknesses.

Patients who use online portals should remain vigilant about their data. If you suspect a security issue, consider reaching out to your provider directly or contacting a relevant authority like the Office for Civil Rights for guidance.

Building on this, the broader healthcare industry must prioritise vulnerability disclosure programs. Without them, well-meaning individuals like Cox may continue to face barriers when trying to report critical flaws. As more medical services move online, ensuring these platforms are secure should be a top priority.