FTC takes on toothless encryption claims for dental practice software

When a company promises to encrypt dentists’ patient data, but fails to live up to established standards, it shouldn’t come as a surprise that the FTC would bristle. A $250,000 proposed settlement with Henry Schein Practice Solutions, Inc., and a new FTC video remind companies to brush up on security-related data hygiene.

Schein sells software to help dentists manage their practices. Many dentists use the company’s Dentrix G5 software to enter patient data, send appointment reminders, process payments and insurance claims, and add clinical notes. That can involve lots of sensitive stuff, including contact information, Social Security numbers, dates of birth, IDs and passwords, insurance providers, and details about diagnoses and prescriptions.

The security of patient data is of particular concern to dentists and other healthcare providers because of their obligations under HIPAA. To help them meet those requirements, HHS cites guidance from the National Institute of Standards and Technology (NIST), which recommends Advanced Encryption Standard (AES) encryption – a nationally recognized standard. HHS’ Breach Notification Rule includes a safe harbor that says dentists don’t have to notify patients about certain breaches if the information was encrypted consistent with the standard cited by NIST.

According to the FTC, Schein was aware of the recommendation of AES, knew about the HHS safe harbor for encrypted data, and understood why encryption would be a key selling feature for dentists. So the company hit that point hard in its promotional material. For example, according to a sales brochure, “The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards.”

But there was something else the company knew. It knew that despite its “encryption” claim, Dentrix G5 didn’t use an established standard like AES encryption. Instead, it used a less secure and more vulnerable proprietary algorithm. Then in June 2013, the United States Computer Emergency Readiness Team (US-CERT) issued a Vulnerability Note and Alert publicly stating that the vendor of the less secure algorithm had agreed to rebrand its method as “Data Camouflage” so it wouldn’t be confused with encryption algorithms like AES.

But according to the FTC, despite receiving US-CERT’s Note, Schein continued to claim until January 2014 that Dentrix G5 “encrypts patient data.” The FTC says the company didn’t clearly alert dentists who bought Dentrix G5 before that date that its software used a method less complex than a standard encryption algorithm like AES. It’s likely that accurate information would have been material to dentists because had they known the truth, they may have taken additional steps to secure patient data. In addition, the company’s statements could have led dentists to mistakenly think they qualified for the HHS safe harbor in the event of a data breach.  

The complaint charges that Schein falsely claimed that Dentrix GS provides industry-standard encryption and helps dentists protect patient data, as required by HIPAA.

The remedies in the proposed settlement are worth noting. The order prohibits the company from making misleading claims about the extent to which its products use industry-standard encryption, help ensure regulatory compliance, or protect consumers’ personal information. The company also will notify customers still using Dentrix G5 that the product doesn’t provide industry-standard encryption. In addition, the company will pay $250,000 as disgorgement. That’s a fairly common provision in FTC advertising cases, but a first for marketing claims specifically related to data security. You can file a public comment about the proposed settlement by February 4, 2016.

The FTC's Start with Security campaign uses lessons from FTC cases to help businesses avoid security pitfalls. Today the FTC debuted a short video that the company in this case would have done well to heed: Use strong encryption to store and transmit sensitive data securely.



Great work, Justin. Actually making a difference in a true David vs. Goliath story.

Thanks Dan! I couldn't of made it this far without Dissent\PogoWasRight. She is a neat lady.

This isn't the first time that Schein has been found playing fast and loose.

Please note all readers that there is a public comment period. It is mentioned at the end of the blog post without a link. https://ftcpublic.commentworks.com/ftc/henryscheinconsent/

As Schein is an effective monopoly with Dentrix with possibly 50,000 plus practices out of 90,000in US, their action harms most American citizens, most US dentists, and all their competitors. Several years ago they acquired Axium and possibly more than 90% if not 100% of US dental schools now use their software, and they have Henry Schein Stores in most dental schools in the US. Besides Dentrix they also own Easy Dental, Dentrix Enterprise, and Software of Excellence.

I am interested to see if anyone does a public comment. I think something worth looking at is the Dentrix Developer Program costs and exclusive agreements that Schein, like when they restricted everyone but DemandForce to confirm appointments in the Database. And what about this interoperability roadmap? I would like to see Dentists and Vendors comment.

"Dentrix G5 didn’t use an established standard like AES encryption. Instead, it used a less secure and more vulnerable proprietary algorithm."

Cryptology 101 teaches not to do this on day 2.

If you decide (against all common sense and qualified wisdom) to create your own amateur encryption method, you must apply it to the data after -- not instead of -- encrypting the data with an established standard like AES. That way you can advertise "better than standard" while actually doing no harm.

I know the ignorant and gullible represent the greatest market, but to safely exploit it you need to be less ignorant and gullible than the people you're selling to.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.