Dental Software Provider Settles With FTC on Charges It Misled Customers About Data Encryption | Practical Law

Dental Software Provider Settles With FTC on Charges It Misled Customers About Data Encryption | Practical Law

The FTC settled claims against Henry Schein Practice Solutions, Inc. concerning allegations that Schein marketed dental practice management software using deceptive claims that the software provided industry-standard patient data encryption as required by the Health Insurance Portability and Accountability Act (HIPAA), when its encryption methods were in fact notably weaker than the industry standard.

Dental Software Provider Settles With FTC on Charges It Misled Customers About Data Encryption

by Practical Law Intellectual Property & Technology
Published on 06 Jan 2016USA (National/Federal)
The FTC settled claims against Henry Schein Practice Solutions, Inc. concerning allegations that Schein marketed dental practice management software using deceptive claims that the software provided industry-standard patient data encryption as required by the Health Insurance Portability and Accountability Act (HIPAA), when its encryption methods were in fact notably weaker than the industry standard.
On January 5, 2016, the FTC issued a press release announcing the settlement of claims against Henry Schein Practice Solutions, Inc. for $250,000. The FTC alleged that Schein marketed dental practice management software using deceptive claims that it provided industry-standard patient data encryption as required by the Health Insurance Portability and Accountability Act (HIPAA), when its encryption methods were in fact notably weaker than the industry standard.
Dentists use Dentrix G5 software to collect and store patients' personal information. The FTC complaint asserts that Schein marketed an updated version of Dentrix G5 as incorporating a new database engine created by a third-party vendor with new capabilities, including a data protection algorithm that Schein advertised as providing encryption in line with HIPAA regulations and industry standards.
The FTC alleged Schein's advertising was deceptive because:
  • Schein claimed that its data protection algorithm met industry standards and helped dentists to meet their HIPAA obligations.
  • The third-party database vendor informed Schein in 2010 that the algorithm had not been tested publicly and was less secure than industry-standard Advanced Encryption Standard (AES) encryption.
  • The US Computer Emergency Readiness Team (US-CERT) described the method as a "weak obfuscation algorithm" in June 2013.
  • Also in June 2013, the National Institute of Standards and Technology (NIST) published a vulnerability alert related to the algorithm.
Schein will pay $250,000 to the FTC under the settlement agreement. Schein is also prohibited from misrepresenting in marketing:
  • Whether or to what extent its products and services offer industry-standard encryption.
  • The ability of its products and services to help customers meet their regulatory obligations related to privacy or security.
  • The extent to which its products and services maintain the privacy, security, confidentiality, and integrity of personal information.
The agreement also requires Schein to notify all dental practices that purchased Dentrix G5 during the period in which Schein made the misleading statements that the product does not provide industry-standard encryption. Schein must also provide the FTC with ongoing reports on the notification process.
This action highlights the need for all organizations, and especially those in highly regulated sectors like health care, to closely scrutinize vendor claims and implementation details related to data security features. User organizations should push vendors to make contractual commitments and share technical details that verify the use of industry-standard methods for key security features, particularly those critical for managing risk and meeting regulatory obligations, like encryption.