NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
FTC settles with software provider over encryption claims
On January 5, 2016, the Federal Trade Commission (“FTC”) announced that it has reached a settlement of administrative charges filed against Henry Schein Practice Solutions, Inc. (“Schein”), a leading provider of office management software for dental practices. The settlement relates to allegations that Schein falsely advertised the level of encryption that it provided to protect patient data.
The FTC alleged that Schein marketed Dentrix G5 software to dental practices nationally, claiming that it provided industry-standard encryption of sensitive patient information and met the requirements of the Health Insurance Portability and Accountability Act. The FTC contended that, as early as November 2010, Schein was aware that Dentrix G5 was less secure and more vulnerable than widely used, industry-standard encryption algorithms such as Advanced Encryption Standard (“AES”) encryption. Stein allegedly knew that its software did not meet the National Institute of Standards and Technology’s (“NIST”) recommended standard to achieve HIPAA compliance. The FTC charged that Schein’s marketing improperly touted the software’s encryption capabilities for protecting patient information and meeting data protection regulations.
Under the terms of the proposed consent order, Schein will pay $250,000 to the FTC. Also, Schein will be required to notify consumers that the FTC claimed that the software provider deceptively advertised from early 2012 to January 2014 that Dentrix G5 encrypts patient data and helps dentists meet HIPAA’s security requirements. In an agreed upon form of written notice, Schein acknowledged that its “software uses a less complex method that doesn’t meet the AES encryption standard recommended by HHS and NIST,” such that dental practices relying on Dentrix G5 software alone would not qualify for the safe harbor under HHS’s Breach Notification Rule. As of January 2014, Schein’s marketing materials have stated more accurately that its software “masks” data, but does not encrypt it.
The FTC has issued the consent order for public comment through February 4. When the FTC issues a consent order on a final basis, it creates the force of law with respect to future actions for twenty years. This regulatory action is significant to show the expansive reach of the FTC’s oversight authority in consumer protection. As shown in the action, the FTC will scrutinize not only the use and protection of data, but also the marketing and public depiction of data protection services and products.


There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.
* indicates a required field


Body *

Date *


Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP
Sort by AttachmentsParentCategory