On May 20, the FTC approved its final order resolving its Complaint against Henry Schein Practice Solutions, Inc. (“Schein”), which came after the expiration of a public comment period. Schein is a provider of office management software for dental practices.
The FTC’s Complaint alleged that Schein misrepresented the encryption capabilities of its Dentrix G5 software in its marketing materials to dentists over a period of two years. Specifically, Schein is alleged to have marketed its software as providing industry-standard encryption sufficient to meet certain HIPAA regulatory obligations. According to the FTC, the software actually used a less complex data masking process to protect personal information, which was in fact below industry-standard. Encryption methods can vary in complexity across different forms of media and data. In an effort to provide an encryption benchmark, the National Institute of Standards and Technology publishes guidance regarding tested encryption procedures.
Under the terms of the final Consent Order, Schein neither admits nor denies any of the allegations brought by the FTC. The Order requires that Schein pay $250,000 to the FTC, and prohibits Schein from making any future misrepresentations as to “industry-standard” product encryption, its ability to maintain the privacy and confidentiality of personal information, and the ability of its products to help customers meet privacy-related regulatory obligations.
Further, the Order requires that Schein notify all affected customers that the Dentrix G5 software “uses a less complex encryption algorithm to protect patient data than Advanced Encryption Standard (“AES”), which is recommended as an industry standard by the National Institute of Standards and Technology.” Schein must also provide the FTC with ongoing reports as to the mandated notification program.
The question of whether information is encrypted has been considered in the context of state data breach notification laws, which exempt the compromise of encrypted data from an event requiring notice. This issue may become moot if other states follow Tennessee, which recently amended its consumer protection statute to require notification in the event of a breach of data, whether encrypted or unencrypted.