False Advertising of Data Encryption lands 20-Year Consent Order and $250K FTC Fine for Henry Schein

The FTC has also ordered Henry Schein Practice Solutions, Inc., to pay a fine of $250,000, and the company must also comply with a 20-year consent order after a recent ruling said the company had “falsely advertised the level of encryption it provided to protect patient data”.

The company has now been ordered to cease making false and misleading claims and must warn its customers about the lower standard of encryption used by Dentrix G5.

Henry Schein marketed its software to dentists suggesting the encryption its Dentrix G5 software solution used would help dentists adhere with HIPAA regulations. However, Dentrix G5 did not utilize AES encryption, instead the company used a proprietary algorithm that did not supply the level of security required by HIPAA.

Its encryption was far less thourough than AES. So much so that the United States Computer Emergency Readiness Team (US-CERT) issued a Vulnerability Note and Alert back in 2013, advising Henry Schein that it must change its marketing and branding to avoid any confusion with AES encryption. US-CERT said its data encryption should be described s data camouflage.

Even with that warning issued Henry Schein went on marketing its database software as incorporating data encryption until January 2014. Once the change had been made, Henry Schein did not inform previous purchasers of Dentrix G5 that its encryption was not up to the same standard as AES, as recommended by the HHS. Dentists using Dentrix G5 were led to believe that they had protected data to the requirements required by HIPAA when they had done so.

The defines of encryption under the HIPAA Security Rule refers to it as “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”.

Covered bodies must ensure that the strength of the encryption software is appropriate. Not all encryption software secures data to the same degree. In fact, some methods of encryption are better referred to as data camouflage rather than data encryption.

The Department of Health and Human Services’ Office for Civil Rights recommends using robust encryption that adheres to a nationally recognized standard such as the Advanced Encryption Standard (AES), approved by the National Institute of Standards and Technology (NIST).

Henry Schein Practice Solutions, Inc., a vendor of software solutions for dentists and dental practices, chose a different encryption standard for its Dentrix G5 software solution. The software allows dentists to enter and record patient data, process claims and payments, and send appointment updates.

Dentists are covered under HIPAA and must therefore put in place a number of administrative, technical and physical measures to keep patient data secure. Henry Schein was aware that the AES standard for encryption was recommended by HHS, and also of the requirements of HIPAA-covered bodies to use the HHS safe harbor for encrypted data.