Practice by Numbers, a dental office management software used in over 5,000 U.S. dental practices, has patched a security flaw that allowed any logged-in patient to view other patients’ private health records through its online portal.
The vulnerability was discovered by patient Joseph R. Cox in April 2026 while reviewing his own dental records. Cox found that simply changing a document number in the browser’s web address bar while viewing his files gave him access to records belonging to other patients — including personal information, medical histories, and photo identification. The document numbers appeared to be sequentially incremental, making it straightforward to guess other patients’ file numbers.
Cox attempted to report the issue directly to Practice by Numbers but encountered significant obstacles. The company’s website email address was broken, returning messages as undeliverable, and a message sent to a company founder on LinkedIn went unanswered. With no formal channel to report security vulnerabilities, Cox turned to TechCrunch as a last resort.
TechCrunch alerted Practice by Numbers on April 13, 2026. The company took its patient portal offline to address the flaw and restored it on April 17. Co-founder and CTO Chris Lau said the company is notifying fewer than 10 patients whose information was exposed, based on server logs, and found no evidence the bug had been exploited prior to Cox’s discovery.
When asked whether the portal had undergone a security audit before launch, neither Lau nor co-founder and president Rohit Garg provided a direct answer. Garg said the company plans to add a way for people to report security issues to its website, though no timeline was given.
The incident reflects a broader pattern in which consumers discover security flaws in products but have no clear path to report them — a similar dynamic played out with fashion retailer Express and Home Depot in recent months. Companies handling sensitive health data typically seek third-party security reviews before launching customer-facing products, though Practice by Numbers did not confirm whether it had done so.
Source: TechCrunch