Henry Schein settles with FTC over complaints about software
February 01, 2016
Henry Schein Practice Solutions, Inc. will pay $250,000 to settle Federal Trade Commission charges it falsely advertised the level of encryption it provided to protect patient data, according to the federal agency.
The FTC’s complaint alleges that Schein marketed its Dentrix G5 software to dental practices with deceptive claims that the software provided industry-standard encryption of sensitive patient information and, by doing so, ensured that practices using its software would protect patient data, as required by the Health Insurance Portability and Accountability Act.
In its complaint, the FTC alleges that Schein was aware that Dentrix G5 used a less complex method of data masking to protect patient data than Advanced Encryption Standard, which is recommended as an industry standard by the National Institute of Standards and Technology and provides the appropriate protection to meet certain regulatory obligations under HIPAA. The FTC said that for two years Schein touted the product’s encryption capabilities for protecting patient information and meeting data protection regulations in multiple marketing materials, including newsletters and brochures targeted at dentists.
“The settlement with the FTC does not represent an admission of wrongdoing regarding the Dentrix product,” Susan Vassallo, vice president of corporate communications for Henry Schein, said in an emailed statement. “We made a decision to settle with the FTC to avoid long and costly litigation. We would much prefer to invest our resources into products and services that help our customers operate successful practices and provide quality patient care.”
Under the terms of the proposed consent order, Schein will be required to pay $250,000 to the FTC. In addition, the company will be prohibited from misleading customers about the extent to which its products use industry-standard encryption or the extent to which its products help ensure regulatory compliance or protect consumers’ personal information, according to the FTC.
Schein will also be required to notify all of its customers who purchased Dentrix G5 during the period when the company made the misleading statements that the product does not provide industry-standard encryption and provide the FTC with ongoing reports on the notification program.
“We value our customers, and as their trusted partner, we make it a priority to help protect the security of their information. To that end, we continuously upgrade and improve our product and service offerings and advise our customers that they also need to take steps to protect the security of the data,” Ms. Vassallo said. “Dentrix provides multiple features to help protect patient data, especially when used in combination with practice security measures based upon standards, best practices, laws and regulations. We do recommend that offices employ some form of full disc encryption that utilizes Advanced Encryption Standard-level encryption.”