Henry Schein Practice Solutions, Inc., recently settled a lawsuit filed by the Federal Trade Commission regarding the company’s allegedly deceptive advertising of the encryption and security capabilities of its dental office management software. Henry Schein allegedly violated Section 5 of the FTC Act by claiming its Dentrix G5 software products incorporated industry-standard encryption to protect patient data in accordance with federal requirements under the Health Insurance Portability and Accountability Act (HIPAA). In reality, according to the FTC’s complaint, the proprietary algorithm used to protect such sensitive information had not been tested publicly and was “less secure and more vulnerable” than industry-standard encryption algorithms—such as Advanced Encryption Standard (or AES). The company will pay $250,000 toward consumer redress and relief and is barred from making misleading claims about the data security strength of its products. As the FTC’s blog post on the settlement notes, this is the first time a monetary penalty as disgorgement has been included in a settlement for marketing claims specifically related to data security.
TIP: This settlement serves as a reminder of the seriousness with which the FTC takes its regulatory authority in the privacy space, including companies’ obligation to make truthful, supported claims about the security and encryption capabilities of their products.