A patient portal bug exposed records across dental practices

Practice by Numbers, a developer of dental office management software used in more than 5,000 practices in the United States, has fixed a security flaw that exposed patient records through its portal, according to TechCrunch. The issue was identified by a patient using the portal to review his own dental files.

According to the report, the bug allowed a logged-in patient to access documents belonging to other patients. The exposed files reportedly included personal information, medical histories, photo identification, and other documents. Because the flaw affected how documents were retrieved, the patient who found it said his own files were likely exposed to others as well.

An easy-to-exploit issue with sensitive consequences

The reported weakness was notable not only because it involved health information, but because it was simple to exploit. TechCrunch said the patient discovered that changing a document number in the web address could reveal other files. Those document numbers also appeared to be sequential, which raised the possibility that other records could be guessed without much difficulty.

That combination matters. A flaw that requires deep technical skill is dangerous enough, but one that can be reproduced by an ordinary portal user creates a much broader exposure surface. In this case, access to the system did not appear to require specialized tools or insider privileges beyond a valid patient login.

EV startup Faraday Future paid $7.5M to company tied to founder Jia Yueting | TechCrunch
More in News

Faraday Future disclosed $7.5 million in payments to a founder-linked company during a bruising 2025

A new proxy filing shows Faraday Future paid roughly $7.5 million in 2025 to an affiliate tied to founder Jia Yueting, even as the EV maker delivered just four vehicles, lost nearly $400 million, and remained under SEC.

Read article

The fix came after the patient struggled to report it

The patient said he tried to alert the company directly, first by email and then through LinkedIn, but did not receive a response before contacting TechCrunch. The outlet reported that the company’s published email address was returning messages as undeliverable, leaving no clear path for responsible disclosure.

That detail is almost as important as the bug itself. The episode reflects a recurring problem in consumer and business software: companies routinely ask users to trust them with sensitive data, but many still lack a visible, working channel for reporting security problems. When the person who spots a flaw cannot find a route to the right team, the window of exposure stays open longer than it should.

A wider pattern in consumer-found vulnerabilities

TechCrunch framed the incident as part of a broader trend in which ordinary users, not professional researchers, are finding severe security issues in everyday products. The report cited similar cases involving other companies where users or researchers struggled to get attention before media outreach prompted action.

That pattern suggests the security ecosystem is changing. Software is now embedded in routine services, from retail orders to healthcare administration, and the people interacting with those systems are often the first to notice when something is wrong. Organizations that handle regulated or highly personal data increasingly need the operational discipline to listen when those users speak up.

Spotify introduces verified artist badges to help distinguish humans from AI | TechCrunch
More in News

Spotify adds human-artist verification as AI music blurs the line

Spotify is rolling out a “Verified by Spotify” badge for artists it identifies as authentic human creators, a platform move shaped by the rapid rise of AI-generated music and AI personas.

Read article

Why this matters in healthcare software

Dental software may not draw the same attention as hospital systems or national insurers, but the information stored in practice portals can still be deeply sensitive. Medical history, identity documents, and treatment records can all appear in a patient account. A defect that crosses account boundaries therefore creates privacy, trust, and potentially compliance risks in one step.

The source report does not quantify how many patients were affected, and Practice by Numbers’ fix appears to have closed the specific bug. Still, the case shows how a single authorization mistake in a web portal can turn a routine document viewer into a privacy exposure affecting many users at once.

What the incident signals

The immediate story is straightforward: a patient found a flaw, the flaw exposed other patients’ records, and the company fixed it after the issue reached public attention. The larger lesson is that security is not only about patching code. It is also about having clear intake paths, functioning contact channels, and processes that treat unsolicited bug reports as operational priorities rather than noise.

As more healthcare-adjacent services move through patient-facing web apps, that distinction will matter more. Companies can close a bug after discovery, but rebuilding confidence is harder when users learn that both the flaw and the reporting system failed at the same time.

This article is based on reporting by TechCrunch. Read the original article.

Fusion power startup Zap Energy pulls a partial pivot, adding nuclear fission to the mix | TechCrunch
More in News

Zap Energy adds fission to its fusion ambitions as data-center power demand rises

Fusion startup Zap Energy says it will also develop fission reactors, arguing the route to grid-relevant power can move faster as AI-driven electricity demand climbs.

Read article

Originally published on techcrunch.com