{"id":3489743,"date":"2026-04-30T15:15:41","date_gmt":"2026-04-30T15:15:41","guid":{"rendered":"https:\/\/techingeek.com\/index.php\/2026\/04\/30\/dental-practice-software-developer-resolves-issue-that-revealed-patients-medical-records\/"},"modified":"2026-04-30T15:15:41","modified_gmt":"2026-04-30T15:15:41","slug":"dental-practice-software-developer-resolves-issue-that-revealed-patients-medical-records","status":"publish","type":"post","link":"https:\/\/techingeek.com\/index.php\/2026\/04\/30\/dental-practice-software-developer-resolves-issue-that-revealed-patients-medical-records\/","title":{"rendered":"Dental practice software developer resolves issue that revealed patients\u2019 medical records"},"content":{"rendered":"
<\/div>\n
\n

Practice by Numbers, the creator of a patient management software utilized in numerous dental offices, has addressed a security vulnerability that revealed patients’ private health information on a portal bundled with the software, as reported by TechCrunch.<\/p>\n

One patient, Joseph R. Cox, alerted TechCrunch about the glitch after experiencing the issue while viewing his dental records on the portal provided by his dentist\u2019s office.\u00a0<\/p>\n

This patient portal is an aspect of dental management software developed by Practice by Numbers, which asserts that its products are employed in over 5,000 dental practices throughout the United States.<\/p>\n

Cox indicated that the vulnerability permitted any portal user to access medical documents and health records of other patients. He stated that he could view other patients\u2019 files through his account, which included personal data, medical histories, photo IDs, and additional documents. The flaw also meant that Cox\u2019s own records were similarly vulnerable to other patients.<\/p>\n

Cox mentioned that he tried to inform the company about the problem via email but received no response. Subsequently, he contacted TechCrunch as a last option to urge the company to resolve the glitch.<\/p>\n

The flaw was notably simple to exploit by anyone logged into the Practice by Numbers\u2019 patient portal. Cox noted that altering the document number in the web address while accessing one of his documents in the portal allowed users to reach files belonging to other patients.\u00a0<\/p>\n

Even more concerning, Cox stated that the document numbers in the web address seem to progress sequentially, making it easy to guess the document numbers of other individuals’ medical files.<\/p>\n

Cox informed TechCrunch that he faced challenges in notifying Practice by Numbers about the problem, as the company provided no clear means for reporting security concerns. The email address on the company\u2019s website was malfunctioning, resulting in returned undeliverable messages. Instead, Cox reached out to one of the company\u2019s founders via LinkedIn, but did not receive any reply following a follow-up email.<\/p>\n

The resolved issue emphasizes a growing trend where ordinary consumers discover security flaws in products or websites of companies yet lack a straightforward path to report such matters to the developers.<\/p>\n

Earlier in April, fashion retailer Express addressed a website flaw that allowed any user to view the order details and personal information of other customers after a user identified the issue but found no way to inform the company. A similar situation happened with Home Depot in December, where a security researcher attempted to privately alert the company about a security lapse exposing access to its internal systems for nearly a year, but their notifications went ignored until TechCrunch reached out.<\/p>\n

Considering the security breach was actively jeopardizing patients’ data, TechCrunch notified Practice by Numbers of the concern on April 13.\u00a0The company took down its patient portal to rectify the flaw and re-launched it on April 17.<\/p>\n

Chris Lau, co-founder and chief technology officer of Practice by Numbers, informed TechCrunch that the vulnerability had been resolved and that fewer than 10 patients were being notified that their information had been compromised due to the flaw, according to server logs.<\/p>\n

The company stated it is collaborating with the impacted dental practice to inform the affected patients. Lau mentioned that the company hadn’t found evidence of prior activity related to the flaw, implying that Cox was likely the first to discover it.<\/p>\n

Cox confirmed that the vulnerability seems to have been addressed.<\/p>\n

When TechCrunch inquired, neither Lau nor Rohit Garg, co-founder and president of Practice by Numbers, disclosed whether the company’s patient portal had undergone a security audit prior to its launch. Companies typically conduct security audits to ensure their products comply with cybersecurity standards and are devoid of prevalent security vulnerabilities before being used by customers.<\/p>\n

Although no software is ever entirely free of bugs, firms dealing with sensitive information, such as healthcare data, generally seek external evaluations of their code to eliminate any significant security flaws.<\/p>\n

When asked if Practice by Numbers intended to enhance its website to enable security researchers to report security flaws, including a vulnerability disclosure program, Garg stated that the company aims to improve its website to facilitate the reporting of security issues. The company did not provide a timeline.<\/p>\n<\/div>\n

When purchasing through links in our articles, we may earn a small commission. This does not impact our editorial independence.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/div>\n
\n

Practice by Numbers, the creator of a patient management software utilized in numerous dental offices, has addressed a security vulnerability that revealed patients’ private health information on a portal bundled with the software, as reported by TechCrunch.<\/p>\n

One patient, Joseph R. Cox, alerted TechCrunch about the glitch after experiencing the issue while viewing his dental records on the portal provided by his dentist\u2019s office.\u00a0<\/p>\n

This patient portal is an aspect of dental management software developed by Practice by Numbers, which asserts that its products are employed in over 5,000 dental practices throughout the United States.<\/p>\n

Cox indicated that the vulnerability permitted any portal user to access medical documents and health records of other patients. He stated that he could view other patients\u2019 files through his account, which included personal data, medical histories, photo IDs, and additional documents. The flaw also meant that Cox\u2019s own records were similarly vulnerable to other patients.<\/p>\n

Cox mentioned that he tried to inform the company about the problem via email but received no response. Subsequently, he contacted TechCrunch as a last option to urge the company to resolve the glitch.<\/p>\n

The flaw was notably simple to exploit by anyone logged into the Practice by Numbers\u2019 patient portal. Cox noted that altering the document number in the web address while accessing one of his documents in the portal allowed users to reach files belonging to other patients.\u00a0<\/p>\n

Even more concerning, Cox stated that the document numbers in the web address seem to progress sequentially, making it easy to guess the document numbers of other individuals’ medical files.<\/p>\n

Cox informed TechCrunch that he faced challenges in notifying Practice by Numbers about the problem, as the company provided no clear means for reporting security concerns. The email address on the company\u2019s website was malfunctioning, resulting in returned undeliverable messages. Instead, Cox reached out to one of the company\u2019s founders via LinkedIn, but did not receive any reply following a follow-up email.<\/p>\n

The resolved issue emphasizes a growing trend where ordinary consumers discover security flaws in products or websites of companies yet lack a straightforward path to report such matters to the developers.<\/p>\n

Earlier in April, fashion retailer Express addressed a website flaw that allowed any user to view the order details and personal information of other customers after a user identified the issue but found no way to inform the company. A similar situation happened with Home Depot in December, where a security researcher attempted to privately alert the company about a security lapse exposing access to its internal systems for nearly a year, but their notifications went ignored until TechCrunch reached out.<\/p>\n

Considering the security breach was actively jeopardizing patients’ data, TechCrunch notified Practice by Numbers of the concern on April 13.\u00a0The company took down its patient portal to rectify the flaw and re-launched it on April 17.<\/p>\n

Chris Lau, co-founder and chief technology officer of Practice by Numbers, informed TechCrunch that the vulnerability had been resolved and that fewer than 10 patients were being notified that their information had been compromised due to the flaw, according to server logs.<\/p>\n

The company stated it is collaborating with the impacted dental practice to inform the affected patients. Lau mentioned that the company hadn’t found evidence of prior activity related to the flaw, implying that Cox was likely the first to discover it.<\/p>\n

Cox confirmed that the vulnerability seems to have been addressed.<\/p>\n

When TechCrunch inquired, neither Lau nor Rohit Garg, co-founder and president of Practice by Numbers, disclosed whether the company’s patient portal had undergone a security audit prior to its launch. Companies typically conduct security audits to ensure their products comply with cybersecurity standards and are devoid of prevalent security vulnerabilities before being used by customers.<\/p>\n

Although no software is ever entirely free of bugs, firms dealing with sensitive information, such as healthcare data, generally seek external evaluations of their code to eliminate any significant security flaws.<\/p>\n

When asked if Practice by Numbers intended to enhance its website to enable security researchers to report security flaws, including a vulnerability disclosure program, Garg stated that the company aims to improve its website to facilitate the reporting of security issues. The company did not provide a timeline.<\/p>\n<\/div>\n

When purchasing through links in our articles, we may earn a small commission. This does not impact our editorial independence.<\/em><\/p>\n","protected":false},"author":2,"featured_media":3489744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3489743","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/posts\/3489743"}],"collection":[{"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/comments?post=3489743"}],"version-history":[{"count":0,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/posts\/3489743\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/media\/3489744"}],"wp:attachment":[{"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/media?parent=3489743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/categories?post=3489743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/tags?post=3489743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}