Practice by Numbers, the creator of widely-used patient management software in dental practices, recently rectified a significant security vulnerability that compromised the private health records of patients on their associated portal.
The issue came to light when a user, Joseph R. Cox, reported it after discovering that the portal, which is part of the software suite used by his dentist, allowed him to access sensitive documents belonging to other patients. This included personal information and medical histories, indicating that his own records were equally at risk.
Cox experienced difficulties notifying Practice by Numbers about the flaw, as the company had no clear mechanism for reporting security issues. Attempts to contact them through their official email yielded no response, with the address deemed undeliverable. Consequently, he reached out via LinkedIn to one of the company’s founders, but received no reply.
Exploiting the bug was straightforward: Cox was able to manipulate the document number in the URL to view others’ files, as these numbers appeared to follow a simple sequential pattern, making it easy to guess. The incident echoes a broader trend where consumers identify security flaws but lack effective channels to report them. Recent examples include vulnerabilities at retailers like Express and Home Depot, where users faced similar challenges in alerting the companies.
Upon being informed of the issue by TechCrunch on April 13, Practice by Numbers took the portal offline to address the security flaw. It was subsequently restored on April 17. According to Chris Lau, co-founder and CTO of the company, the vulnerability has been fixed, and fewer than 10 patients will be notified that their information was exposed.
Despite the resolution, there is uncertainty regarding whether the patient portal underwent a security audit before launch, a standard precaution for applications dealing with sensitive data. Lau and Rohit Garg, the company’s president, could not confirm if such an audit was performed.
In an effort to prevent future occurrences, Garg indicated that Practice by Numbers plans to enhance its website to facilitate better communication for security reporting, although no specific timeline was provided. While no software can be entirely free of bugs, the handling of confidential data necessitates a proactive approach to cybersecurity, often involving third-party evaluations to identify and remediate potential vulnerabilities.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
