Henry Schein settles FTC charges it misled customers about encryption of patient data

It appears the FTC acted on a complaint I filed with them last year concerning Henry Schein Dental’s use of the word “encryption” in their marketing and their refusal to individually notify customers that the “encryption” provided by Dentrix G5  was not NIST-grade encryption that would give them Safe Harbor under HIPAA.

Background on my concerns and why I filed a complaint can be found  here, here, and here. Kudos to the researcher who identified the vulnerability and helped me understand its significance. He also filed a supplemental to my complaint to the FTC, further explaining the “encryption” issue.

I’m gratified to see that the FTC agreed with every concern I raised in my complaint.

Here’s the FTC’s press release, with links to their complaint and proposed consent order:

Henry Schein Practice Solutions, Inc. (“Schein”), the provider of leading office management software for dental practices, will pay $250,000 to settle Federal Trade Commission charges it falsely advertised the level of encryption it provided to protect patient data.

The FTC’s complaint alleges that Schein marketed its Dentrix G5 software to dental practices around the country with deceptive claims that the software provided industry-standard encryption of sensitive patient information and, in doing so, ensured that practices using its software would protect patient data, as required by the Health Insurance Portability and Accountability Act (HIPAA).

“Strong encryption is critical for companies dealing with sensitive health information,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “If a company promises strong encryption, it should deliver it.”
In its complaint, the FTC alleges that Schein was aware that Dentrix G5 used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology (NIST) and provides the appropriate protection to meet certain regulatory obligations under HIPAA. Nevertheless, for two years, Schein touted the product’s “encryption capabilities” for protecting patient information and meeting “data protection regulations” in multiple marketing materials, including newsletters and brochures targeted at dentists.

Under the terms of the proposed consent order, Schein will be required to pay $250,000 to the FTC. In addition, the company will be prohibited from misleading customers about the extent to which its products use industry-standard encryption or the extent to which its products help ensure regulatory compliance or protect consumers’ personal information.

In addition, Schein will be required to notify all of its customers who purchased Dentrix G5 during the period when the company made the misleading statements that the product does not provide industry-standard encryption and provide the FTC with ongoing reports on the notification program.

The Commission vote to issue the administrative complaint and to accept the consent agreement was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through Feb. 4, 2016, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically.

Henry Schein Responds

Henry Schein reached out to me today after the announcement. Although they will not be issuing a press release, they did send me a statement which says, in part:

Henry Schein is committed to providing our customers products and services they can rely on to build their practices and provide quality care. This commitment is at the heart of all we do. With that as context, we had a disagreement with the FTC about how we used the word “encrypted” in Dentrix G5 marketing from early 2012 to January 2014.

[…]

The settlement with the FTC does not represent an admission of wrongdoing regarding the Dentrix product. We made a decision to settle with the FTC to avoid long and costly litigation. We would much prefer to invest our resources into products and services that help our customers operate successful practices and provide quality patient care.

[…]

Dentrix provides multiple features to help protect patient data, especially
when used in combination with practice security measures based upon standards, best practices, laws, and regulations. We do recommend that offices employ some form of full disc encryption that utilizes AES-level encryption.

And Now You Know

In a way, this consent order is a better outcome for patients and consumers than if Henry Schein had taken my advice to individually notify customers, in which case, I wouldn’t have filed a complaint. As a result of this consent order, we now have guidance as to how the FTC views the use of the word “encryption” in marketing or advertising. And that might also have significant implications for breach notification letters in the event of a breach. If an entity tells consumers that data were “encrypted” when they were only MD5 hashed, how might the FTC view that claim? I would bet that they might find that a deceptive (“unfair”) practice that puts consumers at risk by not accurately informing them of how secure the data were and the likelihood that someone could crack the “encryption.”

Update: The FTC Blog for Businesses also has a post on this matter, FTC takes on toothless encryption claims for dental practice software.

About the author: Dissent