Henry Schein Practice Solutions, Inc. (“Schein”), the provider of leading office management software for dental practices, will pay $250,000 to settle Federal Trade Commission charges it falsely advertised the level of encryption it provided to protect patient data.
The FTC’s complaint alleges that Schein marketed its Dentrix G5 software to dental practices around the country with deceptive claims that the software provided industry-standard encryption of sensitive patient information and, in doing so, ensured that practices using its software would protect patient data, as required by the Health Insurance Portability and Accountability Act (HIPAA).
“Strong encryption is critical for companies dealing with sensitive health information,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “If a company promises strong encryption, it should deliver it.”
In its complaint, the FTC alleges that Schein was aware that Dentrix G5 used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology (NIST) and provides the appropriate protection to meet certain regulatory obligations under HIPAA. Nevertheless, for two years, Schein touted the product’s “encryption capabilities” for protecting patient information and meeting “data protection regulations” in multiple marketing materials, including newsletters and brochures targeted at dentists.
Under the terms of the proposed consent order, Schein will be required to pay $250,000 to the FTC. In addition, the company will be prohibited from misleading customers about the extent to which its products use industry-standard encryption or the extent to which its products help ensure regulatory compliance or protect consumers’ personal information.
In addition, Schein will be required to notify all of its customers who purchased Dentrix G5 during the period when the company made the misleading statements that the product does not provide industry-standard encryption and provide the FTC with ongoing reports on the notification program.
The Commission vote to issue the administrative complaint and to accept the consent agreement was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through Feb. 4, 2016, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions for twenty years. Each violation of such an order may result in a civil penalty of up to $16,000.
The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.