NP Privacy Partner
Subscribe:
CATEGORIES
Children’s Privacy & COPPA
Consumer Privacy
Advertising and Marketing
Financial Institutions
Mobile Technology & Websites
TCPA
Corporate & Board Governance
Cybersecurity
Data Breach
Employee/Workplace Privacy
Enforcement & Litigation
Health Care & HIPAA
International
Social Media
INDUSTRY CALENDAR
TEAM
ABOUT NIXON PEABODY
RESOURCES
1/11/2016
FTC settles with software provider over encryption claims
On January 5, 2016, the Federal Trade Commission (“FTC”) announced that it has reached a settlement of administrative charges filed against Henry Schein Practice Solutions, Inc. (“Schein”), a leading provider of office management software for dental practices. The settlement relates to allegations that Schein falsely advertised the level of encryption that it provided to protect patient data.
The FTC alleged that Schein marketed Dentrix G5 software to dental practices nationally, claiming that it provided industry-standard encryption of sensitive patient information and met the requirements of the Health Insurance Portability and Accountability Act. The FTC contended that, as early as November 2010, Schein was aware that Dentrix G5 was less secure and more vulnerable than widely used, industry-standard encryption algorithms such as Advanced Encryption Standard (“AES”) encryption. Stein allegedly knew that its software did not meet the National Institute of Standards and Technology’s (“NIST”) recommended standard to achieve HIPAA compliance. The FTC charged that Schein’s marketing improperly touted the software’s encryption capabilities for protecting patient information and meeting data protection regulations.
Under the terms of the proposed consent order, Schein will pay $250,000 to the FTC. Also, Schein will be required to notify consumers that the FTC claimed that the software provider deceptively advertised from early 2012 to January 2014 that Dentrix G5 encrypts patient data and helps dentists meet HIPAA’s security requirements. In an agreed upon form of written notice, Schein acknowledged that its “software uses a less complex method that doesn’t meet the AES encryption standard recommended by HHS and NIST,” such that dental practices relying on Dentrix G5 software alone would not qualify for the safe harbor under HHS’s Breach Notification Rule. As of January 2014, Schein’s marketing materials have stated more accurately that its software “masks” data, but does not encrypt it.
The FTC has issued the consent order for public comment through February 4. When the FTC issues a consent order on a final basis, it creates the force of law with respect to future actions for twenty years. This regulatory action is significant to show the expansive reach of the FTC’s oversight authority in consumer protection. As shown in the action, the FTC will scrutinize not only the use and protection of data, but also the marketing and public depiction of data protection services and products.
Posted at 10:28 AM by Richard, Steven | Category:
Advertising and Marketing
;
Enforcement Litigation
;
Consumer Privacy
;
Privacy Litigation & Class Action
|
Permalink
|
Email this Post
|
Comments (0)
Check Effective Permissions
/dataprivacy/_layouts/SecurityReportAccount.aspx?id={ItemId}&List={ListId}&Type=ListItem
0x40000000
0x0
ContentType
0x01
10
Comments
There are no comments yet for this post.
Check Effective Permissions
/dataprivacy/_layouts/SecurityReportAccount.aspx?id={ItemId}&List={ListId}&Type=ListItem
0x40000000
0x0
ContentType
0x01
10
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights.
More information on content approval.
*
indicates a required field
Title
Body
*
Date
*
Date Date
Attachments
Categories
Parent
Category
RSS Feed