Henry Schein Practice Solutions will pay $250,000 to settle Federal Trade Commission (FTC) charges that the company falsely advertised the level of encryption it provided to protect patient data.
According to the FTC complaint, the Dentrix G5 software was marketed to practices with "deceptive claims," including that the software "provided industry-standard encryption of sensitive patient information."
The FTC alleged that the company was aware that the software used "a less complex method of data masking to protect patient data than Advanced Encryption Standard." The commission also alleges that the company "touted the product's 'encryption capabilities' " in newsletters and brochures targeted at dentists for two years.
"Strong encryption is critical for companies dealing with sensitive health information," stated Jessica Rich, director of the FTC's Bureau of Consumer Protection, in a press release. "If a company promises strong encryption, it should deliver it."
Besides the settlement payment, the company is required to inform those customers who purchased the software during the time the "misleading statements" were made that it "does not provide industry-standard encryption." The company will also provide the commission with ongoing updates on this notification program.
A Henry Schein representative responded to a request for comment, stating the company "has a long history of serving customers with integrity and honesty," and that the company has been named to "Ethisphere's List of the World's Most Ethical Companies annually since 2012."
"...[w]e had a disagreement with the FTC about how we used the word “encrypted” in Dentrix G5 marketing from early 2012 to January 2014. But we want to assure our customers that our product works, and works well. The security features in Dentrix are part of our evolving product development efforts. What’s more, we have always communicated to customers that the ultimate responsibility for data security and HIPAA compliance resides with each practice. "
"The settlement with the FTC does not represent an admission of wrongdoing regarding the Dentrix product. We made a decision to settle with the FTC to avoid long and costly litigation. We would much prefer to invest our resources into products and services that help our customers operate successful practices and provide quality patient care."
"Dentrix provides multiple features to help protect patient data, especially when used in combination with practice security measures based upon standards, best practices, laws, and regulations. We do recommend that offices employ some form of full disc encryption that utilizes AES-level encryption."
The FTC has opened public comment on the settlement until February 4. You can submit your public comment here.