Henry Schein has agreed to pay $250,000 to settle Federal Trade Commission charges that it falsely advertised the level of encryption provided by its Dentrix G5 software for dentists’ practices.
The distributor of medical, dental and veterinary products also agreed to notify customers who bought the software during the two-year period when the company made the misleading statements that it, in fact, does not provide industry-standard encryption.
A system called Advanced Encryption Standard is recommended as the industry standard by the National Institute of Standards and Technology to safeguard data under HIPAA, a 1996 federal law that set requirements for privacy of health records. The FTC, which announced the settlement on Tuesday, said Henry Schein was aware that the software used a less complex method of “data masking,” but touted it as meeting “data protection regulations” in marketing materials.
“Strong encryption is critical for companies dealing with sensitive health information,” Jessica Rich, director of the FTC’s bureau of consumer protection, said in a statement. “If a company promises strong encryption, it should deliver it.”
In a statement, Henry Schein said the settlement “does not represent an admission of wrongdoing” and that the company “made a decision to settle with the FTC to avoid long and costly litigation.”
The company said that despite the “disagreement with the FTC” covering marketing from early 2012 to January 2014, customers always were informed that “ultimate responsibility for data security and HIPAA compliance resides with each practice.” Company officials said Henry Schein recommends that dentists use AES-level encryption in addition to the safeguards included with Dentrix software.
The FTC voted 4-0 to accept the consent agreement, which will be subject to public comment for 30 days continuing through Feb. 4. After that period the FTC will decide whether to make the consent order final.