Dental practice software maker fixes bug that exposed patients’…

Practice by Numbers, the developer of a patient management software used in thousands of dentist’s offices, has fixed a security flaw that exposed the private health records of patients on a portal that comes bundled with the software, TechCrunch has learned. Cox said the bug allowed any user of the portal, which houses patients’ medical documents and health records, to access documents belonging to other patients.

Cox told TechCrunch that he faced difficulties in alerting Practice by Numbers to the issue, as the company offered no discernible avenue to report security problems. Earlier in April, fashion retailer Express fixed a website bug that allowed anyone to access the order details and personal information of other customers, after a user identified the bug, but found no way to alert the company.

A similar incident involved Home Depot in December: A security researcher tried to privately alert the company about a security lapse that was exposing access to its internal systems for almost a year , but their reports were ignored until TechCrunch contacted the company. Practice by Numbers’ co-founder and chief technology officer, Chris Lau, told TechCrunch that the company had fixed the vulnerability, and it was notifying fewer than 10 patients that their information was exposed due to the bug, citing its server logs.

When asked by TechCrunch, neither Lau nor Practice by Number’s co-founder and president, Rohit Garg, would say if the company’s patient portal had undergone a security audit before it was launched. When asked if Practice by Numbers plans to update its website to allow security researchers to notify the company of security flaws, such as through a vulnerability disclosure program, Garg said the company plans to update its website to let people report security issues.

Source: TechCrunch