On January 5, 2016, the Federal Trade Commission (“FTC”) announced that it has reached a settlement of administrative charges filed against Henry Schein Practice Solutions, Inc. (“Schein”), a leading provider of office management software for dental practices. The settlement relates to allegations that Schein falsely advertised the level of encryption that it provided to protect patient data.

 

The FTC alleged that Schein marketed Dentrix G5 software to dental practices nationally, claiming that it provided industry-standard encryption of sensitive patient information and met the requirements of the Health Insurance Portability and Accountability Act. The FTC contended that, as early as November 2010, Schein was aware that Dentrix G5 was less secure and more vulnerable than widely used, industry-standard encryption algorithms such as Advanced Encryption Standard (“AES”) encryption. Stein allegedly knew that its software did not meet the National Institute of Standards and Technology’s (“NIST”) recommended standard to achieve HIPAA compliance. The FTC charged that Schein’s marketing improperly touted the software’s encryption capabilities for protecting patient information and meeting data protection regulations.

 

Under the terms of the proposed consent order, Schein will pay $250,000 to the FTC. Also, Schein will be required to notify consumers that the FTC claimed that the software provider deceptively advertised from early 2012 to January 2014 that Dentrix G5 encrypts patient data and helps dentists meet HIPAA’s security requirements. In an agreed upon form of written notice, Schein acknowledged that its “software uses a less complex method that doesn’t meet the AES encryption standard recommended by HHS and NIST,” such that dental practices relying on Dentrix G5 software alone would not qualify for the safe harbor under HHS’s Breach Notification Rule. As of January 2014, Schein’s marketing materials have stated more accurately that its software “masks” data, but does not encrypt it.

 

The FTC has issued the consent order for public comment through February 4. When the FTC issues a consent order on a final basis, it creates the force of law with respect to future actions for twenty years. This regulatory action is significant to show the expansive reach of the FTC’s oversight authority in consumer protection. As shown in the action, the FTC will scrutinize not only the use and protection of data, but also the marketing and public depiction of data protection services and products.