False Advertising of Data Encryption lands 20-Year Consent Order and $250K FTC Fine for Henry Schein

by | Jan 9, 2016

The FTC has also ordered Henry Schein Practice Solutions, Inc., to pay a fine of $250,000, and the company must also comply with a 20-year consent order after a recent ruling said the company had “falsely advertised the level of encryption it provided to protect patient data”.

The company has now been ordered to cease making false and misleading claims and must warn its customers about the lower standard of encryption used by Dentrix G5.

Henry Schein marketed its software to dentists suggesting the encryption its Dentrix G5 software solution used would help dentists adhere with HIPAA regulations. However, Dentrix G5 did not utilize AES encryption, instead the company used a proprietary algorithm that did not supply the level of security required by HIPAA.

Its encryption was far less thourough than AES. So much so that the United States Computer Emergency Readiness Team (US-CERT) issued a Vulnerability Note and Alert back in 2013, advising Henry Schein that it must change its marketing and branding to avoid any confusion with AES encryption. US-CERT said its data encryption should be described s data camouflage.

Even with that warning issued Henry Schein went on marketing its database software as incorporating data encryption until January 2014. Once the change had been made, Henry Schein did not inform previous purchasers of Dentrix G5 that its encryption was not up to the same standard as AES, as recommended by the HHS. Dentists using Dentrix G5 were led to believe that they had protected data to the requirements required by HIPAA when they had done so.

The defines of encryption under the HIPAA Security Rule refers to it as “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”.

Covered bodies must ensure that the strength of the encryption software is appropriate. Not all encryption software secures data to the same degree. In fact, some methods of encryption are better referred to as data camouflage rather than data encryption.

The Department of Health and Human Services’ Office for Civil Rights recommends using robust encryption that adheres to a nationally recognized standard such as the Advanced Encryption Standard (AES), approved by the National Institute of Standards and Technology (NIST).

Henry Schein Practice Solutions, Inc., a vendor of software solutions for dentists and dental practices, chose a different encryption standard for its Dentrix G5 software solution. The software allows dentists to enter and record patient data, process claims and payments, and send appointment updates.

Dentists are covered under HIPAA and must therefore put in place a number of administrative, technical and physical measures to keep patient data secure. Henry Schein was aware that the AES standard for encryption was recommended by HHS, and also of the requirements of HIPAA-covered bodies to use the HHS safe harbor for encrypted data.

 

 

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy