The Federal Trade Commission (“FTC”) recently announced a settlement with Henry Schein Practice Solutions, Inc., a dental practice software provider, concluding an investigation into claims that Henry Schein misled customers about the encryption capabilities of its software.
According to the FTC, Henry Schein advertised its Dentrix G5 software as meeting industry encryption standards despite the fact the company was aware that the software used a proprietary data masking technique that fell short of the NIST encryption standard. The patient data within the Dentrix G5 system was not encrypted, but rather camouflaged. Henry Schein marketed Dentrix G5 to providers as meeting HIPAA requirements when it did not, and also failed to notify providers of the misleading claims after it became aware of the software’s deficiencies.
In the complaint, the FTC determined that Henry Schein’s claims of encryption would be material to providers assessing whether to notify affected individuals in the event of a suspected HIPAA breach since a breach of encrypted PHI does not require notification under HIPAA’s Breach Notification Rule. This enforcement should serve as a reminder to providers to verify whether their (or their vendors’) encryption technology is sufficient to take advantage of the HIPAA breach notification encryption safe harbor. Rigorous due diligence prior to engaging a vendor and robust contractual representations concerning encryption technology are two ways providers can protect themselves in this regard.
The complaint, proposed consent order, and FTC press release may be accessed here.