Henry Schein Practice Solutions, Inc., the provider of leading office management software for dental practices, has agreed to pay $250,000 to settle Federal Trade Commission charges for allegedly misrepresenting the advertised level of encryption it provided to protect patient data. 

Schein sold management software, known as Dentrix G5, to dental practices.  Dentists used Dentrix G5 to collect and store patients’ sensitive personal information, including Social Security numbers, dates of birth, driver’s license numbers, and diagnoses.  The software was represented as using industry-standard encryption capabilities to protect such personal information.

According to the Complaint, however, the database engine vendor for Dentrix G5 informed Schein that the form of data protection used in the software had not been tested publicly and was less secure and more vulnerable than widely-used, industry-standard encryption algorithms.  Despite this knowledge, Schein continued to promote Dentrix G5’s ability to encrypt patient data and help dentists meet regulatory obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), although encryption is not mandatory

As Section 5 of the FTC Act does not provide for a monetary penalty, the agreed payment is for the purpose of consumer redress.  However, the Order does not explain the process for any of the consumers to make a claim or the standards to be applied for how much would be paid to each affected “consumer.”  As a result it is presumed that the $250,000 is disgorgement of income, but there is no rationale as to how this figure was derived or even if this is the theory justifying the payment.  As is usual, the FTC consent order also requires Schein to notify all of its customers who purchased Dentrix G5 that the product does not in fact provide industry-standard encryption and must submit reports of its notification program to the FTC.

“Strong encryption is critical for companies dealing with sensitive health information,” said Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection.  “If a company promises strong encryption, it should deliver it.”  Indeed, guidance has been provided in the context of HIPAA for what constitutes acceptable encryption standards as provided by the National Institute of Standards and Technology (“NIST”) 

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Julie D. Hoffmeister Julie D. Hoffmeister

Julie is a partner primarily focusing on financial services litigation. She defends consumer-facing companies of all types in individual claims and class actions, including claims under the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), and the Telephone Consumer Protection…

Julie is a partner primarily focusing on financial services litigation. She defends consumer-facing companies of all types in individual claims and class actions, including claims under the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), and the Telephone Consumer Protection Act (TCPA). Julie also applies her litigation knowledge in assisting businesses in developing compliance processes and procedures for the myriad federal consumer protection laws.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.