On January 5, 2016, the Federal Trade Commission announced that dental office management software provider, Henry Schein Practice Solutions, Inc. (“Schein”), agreed to settle FTC charges that accused the company of falsely advertising the level of encryption it used to protect patient data. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company engaged in unfair or deceptive acts or practices by falsely representing that the Dentrix G5 software used industry-standard encryption and helped dentists protect patient data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Dentrix G5 is a type of software that enables dentists to perform office tasks such as entering patient data and sending appointment reminders. The FTC asserted that, in 2012, the Dentrix G5 software incorporated a third party database engine that included a form of data protection that Schein advertised as “encryption.” According to the complaint, as early as November 2010, the database engine vendor notified Schein that the form of data protection used in Dentrix G5 was a “proprietary algorithm that had not been tested publicly, and was less secure and more vulnerable than widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.”
The FTC alleged that Schein was aware that the Department of Health and Human Services (“HHS”) directs health care providers (including most dentists) to protect patient data in accordance with guidance promulgated by the National Institute of Standards and Technology (“NIST”), which recommends AES encryption. Similarly, HHS’ Breach Notification rule requires covered entities responding to a data breach to consider whether the compromised data was encrypted in accordance with the NIST Special Publication 800-111.
According to the complaint, the United States Computer Emergency Readiness Team issued a vulnerability note in June 2013 indicating that the form of data protection used in Dentrix G5 software was a “weak obfuscation algorithm.” In response, the database engine vendor agreed to rebrand the data protection method as “Data Camouflage” instead of “encryption.” Nevertheless, despite the alert and rebranding, Schein continued to distribute marketing materials stating that Dentrix G5 “encrypts” patient data and offers “encryption.”
The proposed Consent Order will prohibit Schein from misrepresenting whether, and to what extent, the product or service offers industry-standard encryption, helps customers meet regulatory obligations, or maintains the privacy, security, confidentiality and integrity of personal information. The Consent Order will require Schein to notify affected customers that Dentrix G5 uses a less complex encryption algorithm than AES, and provide the FTC with ongoing reports on the notification program. In addition, Schein will be required to pay $250,000 to the FTC.