Henry Schein Practice Solutions, Inc., the provider of leading office management software for dental practices, has agreed to pay $250,000 to settle Federal Trade Commission charges for allegedly misrepresenting the advertised level of encryption it provided to protect patient data.
Schein sold management software, known as Dentrix G5, to dental practices. Dentists used Dentrix G5 to collect and store patients’ sensitive personal information, including Social Security numbers, dates of birth, driver’s license numbers, and diagnoses. The software was represented as using industry-standard encryption capabilities to protect such personal information.
According to the Complaint, however, the database engine vendor for Dentrix G5 informed Schein that the form of data protection used in the software had not been tested publicly and was less secure and more vulnerable than widely-used, industry-standard encryption algorithms. Despite this knowledge, Schein continued to promote Dentrix G5’s ability to encrypt patient data and help dentists meet regulatory obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), although encryption is not mandatory.
As Section 5 of the FTC Act does not provide for a monetary penalty, the agreed payment is for the purpose of consumer redress. However, the Order does not explain the process for any of the consumers to make a claim or the standards to be applied for how much would be paid to each affected “consumer.” As a result it is presumed that the $250,000 is disgorgement of income, but there is no rationale as to how this figure was derived or even if this is the theory justifying the payment. As is usual, the FTC consent order also requires Schein to notify all of its customers who purchased Dentrix G5 that the product does not in fact provide industry-standard encryption and must submit reports of its notification program to the FTC.
“Strong encryption is critical for companies dealing with sensitive health information,” said Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection. “If a company promises strong encryption, it should deliver it.” Indeed, guidance has been provided in the context of HIPAA for what constitutes acceptable encryption standards as provided by the National Institute of Standards and Technology (“NIST”).