Peter A Clarke

Never let it be said that the Federal Trade Commission (“FTC”) doesn’t have a sense of humour.  When it took issue with a Henry Shein Practice Solutions Inc’s claim that its software encrypted dental patients’ data its press release was FTC takes on toothless encryption claims for dental practice software.  Nice.

What is more of a worry is how sporadically data is encrypted and often when the encryption is used it does not meet industry standards.  It is not that expensive to do so and for medical records the cost is more than outweighed by the huge damage associated with a breach or misuse of that information.

Shein knew that the encryption it used in its software was not an established and, more to the point, knew it was vulnerable. It had received a vulnerability notice from US authorities in 2013 regarding the algorithm it used.  Notwithstanding that it represented until January 2014 that its software encrypted patient data.

The FTC filed complaint.  This is resulted in an agreement by Schein to a consent order.  The sting is that Schein has agreed to pay a fine of $250,000.  It is also has to comply with a regime of inspection by and provision of information to the FTC relating to compliance for 5 years.  The order will terminate in 20 years.

The media release is informative providing:

When a company promises to encrypt dentists’ patient data, but fails to live up to established standards, it shouldn’t come as a surprise that the FTC would bristle. A $250,000 proposed settlement with Henry Schein Practice Solutions, Inc., and a new FTC video remind companies to brush up on security-related data hygiene.

Schein sells software to help dentists manage their practices. Many dentists use the company’s Dentrix G5 software to enter patient data, send appointment reminders, process payments and insurance claims, and add clinical notes. That can involve lots of sensitive stuff, including contact information, Social Security numbers, dates of birth, IDs and passwords, insurance providers, and details about diagnoses and prescriptions.

The security of patient data is of particular concern to dentists and other healthcare providers because of their obligations under HIPAA. To help them meet those requirements, HHS cites guidance from the National Institute of Standards and Technology (NIST), which recommends Advanced Encryption Standard (AES) encryption – a nationally recognized standard. HHS’ Breach Notification Rule includes a safe harbor that says dentists don’t have to notify patients about certain breaches if the information was encrypted consistent with the standard cited by NIST.

According to the FTC, Schein was aware of the recommendation of AES, knew about the HHS safe harbor for encrypted data, and understood why encryption would be a key selling feature for dentists. So the company hit that point hard in its promotional material. For example, according to a sales brochure, “The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards.”

But there was something else the company knew. It knew that despite its “encryption” claim, Dentrix G5 didn’t use an established standard like AES encryption. Instead, it used a less secure and more vulnerable proprietary algorithm. Then in June 2013, the United States Computer Emergency Readiness Team (US-CERT) issued a Vulnerability Note and Alert publicly stating that the vendor of the less secure algorithm had agreed to rebrand its method as “Data Camouflage” so it wouldn’t be confused with encryption algorithms like AES.

But according to the FTC, despite receiving US-CERT’s Note, Schein continued to claim until January 2014 that Dentrix G5 “encrypts patient data.” The FTC says the company didn’t clearly alert dentists who bought Dentrix G5 before that date that its software used a method less complex than a standard encryption algorithm like AES. It’s likely that accurate information would have been material to dentists because had they known the truth, they may have taken additional steps to secure patient data. In addition, the company’s statements could have led dentists to mistakenly think they qualified for the HHS safe harbor in the event of a data breach.  

The complaint charges that Schein falsely claimed that Dentrix GS provides industry-standard encryption and helps dentists protect patient data, as required by HIPAA.

The remedies in the proposed settlement are worth noting. The order prohibits the company from making misleading claims about the extent to which its products use industry-standard encryption, help ensure regulatory compliance, or protect consumers’ personal information. The company also will notify customers still using Dentrix G5 that the product doesn’t provide industry-standard encryption. In addition, the company will pay $250,000 as disgorgement. That’s a fairly common provision in FTC advertising cases, but a first for marketing claims specifically related to data security. You can file a public comment about the proposed settlement by February 4, 2016.