Henry Schein, Melville, NY, has agreed to pay $250,000 to settle Federal Trade Commission (FTC) charges that the company falsely advertised the level of encryption provided to protect patient data.
The FTC complaint alleges that Henry Schein marketed its Dentrix G5 software to dental practices around the country with deceptive claims that the software provided industry-standard encryption of sensitive patient information and, in doing so, ensured that practices using its software would protect patient data, as required by the Health Insurance Portability and Accountability Act (HIPAA).
In its complaint, the FTC alleges that Henry Schein was aware that Dentrix G5 used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology (NIST) and provides the appropriate protection to meet certain regulatory obligations under HIPAA. Nevertheless, for 2 years, the FTC says Henry Schein touted the product’s “encryption capabilities” for protecting patient information and meeting “data protection regulations” in multiple marketing materials, including newsletters and brochures targeted at dentists.
Under the terms of the proposed consent order, Henry Schein will be required to pay $250,000 to the FTC. In addition, the company will be prohibited from misleading customers about the extent to which its products use industry-standard encryption or the extent to which its products help ensure regulatory compliance or protect consumers’ personal information.
In addition, Henry Schein will be required to notify all of its customers who purchased Dentrix G5 during the period when the company made the misleading statements that the product does not provide industry-standard encryption and provide the FTC with ongoing reports on the notification program.