A dental practice software maker is fixing a bug that exposed patients’ medical records

Practice by Numbers, developer of patient management software used in thousands of dental offices, has fixed a security flaw that exposed confidential patient health records in a portal that comes bundled with the software, TechCrunch has learned.

Another patient, Joseph R. Cox, reported the bug to TechCrunch after encountering a problem while checking his dental records on the portal, which was provided by the dentist’s office.

This patient portal is part of the dental office management software by Practice by Numbers, which says its products are used in more than 5,000 dental practices across the United States.

Cox said the flaw allows any user of the portal, which stores patients’ medical documents and health records, to access other patients’ documents. He said he was able to find other patients’ documents on his account, including their information, medical history, identified photos, and other files. The bug also meant that Cox’s records were exposed to other patients.

Cox said he tried to notify the company about the issue by email, but did not hear back. He then informed TechCrunch as a last resort to ask the company to issue a bug.

The bug was incredibly easy to exploit by anyone with access to Practice by Numbers’ patient portal. Cox said changing the document number in the web address while uploading one of his documents to the portal allows users to access other patients’ files.

Worse, Cox said the document numbers in the web address appear to be ascending in sequence, so it is possible to easily guess the document numbers of other people’s medical files.

Cox told TechCrunch that he faced difficulty in alerting Practice by Numbers to the issue, as the company did not provide a visible way to report security issues. The company’s email address on its website was compromised, and emails were returned as undeliverable. Instead, Cox sent a message to one of the company’s founders on LinkedIn, but didn’t hear back after sending a follow-up email.

The problem, now fixed, highlights a recent trend where ordinary consumers find security flaws in companies’ products or websites, but have no clear way to report the problem to developers.

In early April, fashion retailer Express fixed a website bug that allowed anyone to access order details and personal information of other customers, after a user identified the error, but had no way to alert the company. A similar incident involved Home Depot in December: A security researcher tried to privately warn the company about a security flaw that exposed access to its internal systems for a year, but their reports were ignored until TechCrunch contacted the company.

Assuming the security flaw was putting patient data at risk, TechCrunch notified Practice by Numbers of the issue on April 13. The company took its patient portal down to fix the bug, and brought it back online on April 17.

Number’s co-founder and chief technology officer, Chris Lau, told TechCrunch that the company has fixed the vulnerability, and notified less than 10 patients that their information was exposed due to the bug, citing its server logs.

The company said it is working with affected dentists to notify affected patients. Lau said the company saw no evidence of previous work related to the bug, suggesting Cox may have been the first to discover it.

Cox confirmed that the error appears to have been fixed.

When asked by TechCrunch, Lau nor Practice by Nombolo’s founder and president, Rohit Garg, did not say whether the company’s patient portal was security tested before it was launched. Companies often undergo security audits to ensure that their products meet cybersecurity standards, and are free of common security flaws before customers start using them.

While no software is ever completely bug-free, companies that handle sensitive information, such as healthcare data, often seek third-party reviews of their code to remove any major security flaws.

When asked if Practice by Numbers plans to update its website to allow security researchers to notify the company of security flaws, such as a vulnerability disclosure program, Garg said the company plans to update its website to allow people to report security issues. The company did not provide a timeline.