Dental software firm to pay for overstating data protectionReprints
A company that provides office management software for dental practices nationally has agreed to pay $250,000 to settle Federal Trade Commission charges that it falsely advertised the level of encryption it provided to protect patient data, the agency said.
Melville, New York-based Henry Schein Inc. said it disagreed with the FTC over how it used the word “encrypted” in its marketing material.
The FTC charged that Schein marketed its Dentrix G5 software to dental practices nationwide with deceptive claims that it provided industry-standard encryption of sensitive patient information, as required by the Health Insurance Portability and Accountability Act, when in fact it did not meet that standard.
The FTC said Schein was aware Dentrix G5 used a less complex method of data masking to protect patient data rather than the Advanced Encryption Standard recommended by the Gaithersburg, Maryland-based National Institute of Standards and Technology.
The FTC said that nevertheless for two years, Schein said in its promotional material that is product met “data protection regulations,” the FTC said.
Under terms of the settlement announced Tuesday, Schein must notify all its customers who purchased the Dentrix G5 software that it does not provide industry-standard encryption and provide the FTC with ongoing reports on the notification program, among other provisions.
“Strong encryption is critical for companies dealing with sensitive health information,” said Jessica Rich, director of the FTC's Bureau of Consumer Protection, in a statement. “If a company promises strong encryption, it should deliver it.”
The company said in its statement, “Henry Schein is committed to providing our customers products and services they can rely on to build their practices and provide quality care. This commitment is at the heart of all we do. With that as context, we had a disagreement with the FTC about how we used the word 'encrypted' in Dentrix G5 marketing from early 2012 to January 2014. But we want to assure our customers that our product works, and works well. The security features in Dentrix are part of our evolving product development efforts.
"What's more, we have always communicated to customers that the ultimate responsibility for data security and HIPAA compliance resides with each practice. The settlement with the FTC does not represent an admission of wrongdoing regarding the Dentrix product. We made a decision to settle with the FTC to avoid long and costly litigation. We would much prefer to invest our resources into products and services that help our customers operate successful practices and provide quality patient care."