Practice by Numbers, a provider of dental practice management software, has addressed a critical security issue that previously allowed unauthorized access to sensitive patient health records. This flaw was discovered by a patient while accessing their dental records through the company's portal.
Joseph R. Cox reported that the bug enabled users to view medical documents belonging to other patients simply by altering the document number in the web address. This vulnerability not only exposed others' records but also put Cox's own information at risk.
After failing to receive a response from Practice by Numbers through email, Cox escalated the matter to TechCrunch, prompting the company to take immediate action. The patient portal was temporarily taken offline for repairs and was restored shortly thereafter.
Details of the Vulnerability
The security flaw in the patient portal allowed any logged-in user to access other patients' documents, which included personal information and medical histories. The sequential nature of the document numbers made it easy for users to guess and access files that did not belong to them.
Challenges in Reporting the Issue
Cox faced significant challenges in notifying Practice by Numbers about the security issue. The company's email address was non-functional, and attempts to reach out via LinkedIn went unanswered. This highlights a growing concern about how companies manage security reports from users.
Company Response
Upon being alerted by TechCrunch, Practice by Numbers acted swiftly to fix the vulnerability. Co-founder Chris Lau confirmed that fewer than ten patients were notified about the exposure of their information, and the company is collaborating with the affected dental practice to inform those patients.
Importance of Security Audits
The incident raises questions about whether Practice by Numbers conducted a security audit before launching the patient portal. Regular audits are essential for identifying and mitigating potential vulnerabilities, especially in software handling sensitive healthcare data.
Future Improvements
In response to the incident, the company plans to enhance its website to facilitate better communication regarding security issues, including the implementation of a vulnerability disclosure program. However, no specific timeline has been provided for these updates.
