Henry Schein, a dental practice management vendor, has agreed to pay $250,000 to settle Federal Trade Commission charges that the company falsely advertised the level of encryption it provided to protect patient data.
According to FTC, Schein marketed its Dentrix G5 software to dental practices nationwide with “deceptive claims that the software provided industry-standard encryption of sensitive patient information and, in doing so, ensured that practices using its software would protect patient data,” as required by HIPAA.
The regulatory agency alleges that Schein was “aware that Dentrix G5 used a less complex method of data masking…than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology (NIST) and provides the appropriate protection to meet certain regulatory obligations under HIPAA.”
For two years, the FTC charges that Schein touted the product’s encryption capabilities for protecting patient information and the ability of the product to meet “data protection regulations” in multiple marketing materials, including newsletters and brochures targeted at dentists.
As part of the settlement, the company will be prohibited from misleading customers about the extent to which its products use industry-standard encryption or the extent to which its products help ensure regulatory compliance or protect consumers’ personal information. In addition, Schein will be required to notify all customers who purchased Dentrix G5 during the period when the company made the misleading statements, informing them that the product does not provide industry-standard encryption. Schein also must provide the FTC with ongoing reports on the notification program.
In a written statement, Schein said it had a disagreement with the FTC about how the company used the word “encrypted” in Dentrix G5 marketing material from early 2012 to January 2014.
Nonetheless, the vendor insisted that its product works well. “The security features in Dentrix are part of our evolving product development efforts,” a Schein statement indicated. “Dentrix provides multiple features to help protect patient data, especially when used in combination with practice security measures based upon standards, best practices, laws and regulations. We do recommend that offices employ some form of full disc encryption that utilizes AES-level encryption.”
At the same time, Schein argued that the settlement with the FTC does not represent an admission of wrongdoing regarding the Dentrix product. “We made a decision to settle with the FTC to avoid long and costly litigation,” said the company. “We would much prefer to invest our resources into products and services that help our customers operate successful practices and provide quality patient care.”
(This article appears courtesy of our sister publication, Health Data Management)
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access