dental portal – A security flaw in Practice by Numbers’ bundled patient portal let logged-in users view other patients’ files. Misryoum reports it’s now patched and a disclosure path is planned.
A patient portal bundled into dental practice software exposed private medical records for a period—prompting an urgent fix and renewed questions about how security researchers can report bugs.
The issue centers on software from Practice by Numbers, used by thousands of dentist offices.. The patient portal holds medical documents and health records. and the company says its tools are used across more than 5. 000 dental practices in the United States.. According to Misryoum’s reporting. one patient identified a way to view other patients’ documents simply by manipulating a document reference inside the portal’s web address.
The core problem was not a complicated breach chain.. Misryoum learned that once a user had login access to their own portal. they could change the document number in the URL while loading a file and reach records belonging to other people.. In practical terms. this meant personal information. medical histories. photo identification. and related documents could be pulled from accounts that were not theirs.. The flaw also created a two-way risk: if other patients could access someone else’s records. that same exposure could reach the original patient who discovered it.
What makes this incident feel especially raw for consumers is how the exploit appears to rely on predictable structure—Misryoum reports that the document numbers were sequential and incremental.. When identifiers are guessable, even a modest bug can become a fast-moving privacy emergency.. Attackers don’t need special skills or specialized tools; they may only need patience and a working login.
Misryoum also notes the reporting friction.. The patient who found the issue tried contacting the company through the available channels and received no response.. With an email address on the website returning as undeliverable and no clear route for security disclosures. the discoverer reached out through other means.. Ultimately, the vulnerability was patched only after the problem was brought into public view.
That sequence is part of a wider pattern Misryoum is seeing across digital services: everyday users occasionally become de facto bug reporters. but the path from discovery to resolution is often unclear.. Many software vendors don’t provide an obvious vulnerability reporting option—despite handling sensitive data where trust is the product.. When the only way to get attention is to escalate. fixes tend to arrive later than they should. and the exposure window can stretch.
For healthcare-adjacent platforms, the stakes are higher than lost screenshots or minor account access.. Dental records aren’t just routine documents; they can include identifying details and health-related information that people expect to remain private.. In an environment where patients may share sensitive data during routine appointments. a portal that weakens privacy protections undermines a basic promise of care: confidentiality.
Practice by Numbers removed the patient portal to address the vulnerability and later restored it once the bug was fixed. Misryoum reports.. The company said it identified fewer than 10 patients as potentially affected. based on server logs. and it is working with the dental practice to notify those individuals.. The technical fix appears to have resolved the immediate problem. and the patient who discovered the issue confirmed that the behavior no longer works after the patch.
Even with the patch in place. Misryoum expects this case to put pressure on how companies handle security accountability—not just whether a flaw exists. but how quickly it can be reported and how transparently it can be triaged.. The company indicated it plans to update its website to enable people to report security issues. though it did not provide a timeline.
From an editorial and cybersecurity perspective. the most actionable takeaway is not simply “a bug was fixed.” It’s that security programs need user-facing pathways that work when something goes wrong.. For companies serving regulated or sensitive data. a vulnerability disclosure process is less a checkbox and more a practical safety valve—one that can reduce the gap between discovery and remediation. especially when the people who find problems are not professional researchers.