Henry Schein to pay $250K to FTC for misleading encryption claims
The FTC had accused Schein of making misleading claims to customers about the level of encryption it offered.
In an enforcement action that aimed the spotlight squarely at encryption, the Federal Trade Commission (FTC) and the Henry Schein Practice Solutions, Inc. agreed to pay a $250,000 fine for falsely advertising the level of encryption it used to safeguard patient data.
The software company told dental practice companies nationwide that its software offered up industry-standard encryption that would protect sensitive data in accordance with the Health Insurance Portability and Accountability Act (HIPAA).
But the FTC filed a suit against Schein, claiming that the company knew the data encryption method its Dentrix G5 software used fell below the NIST-recommended Advanced Encryption Standard (AES), but continued to hawk it as meeting “data protection regulations,” the FTC, in a release, quoted the company's ads as saying.
“Strong encryption is critical for companies dealing with sensitive health information,” said Jessica Rich, Director of the FTC's Bureau of Consumer Protection, said in the release. “If a company promises strong encryption, it should deliver it.”
In addition to the fine, the terms of the settlement require Schein to notify customers who bought the software during the time that the misleading claims were made. The company is also forbidden from similarly misleading customers going forward.
“This is a classic case of a business making headlines for bad security practices,” Mark Bower, global director product management for HPE Security – Data Security, said in comments emailed to SCMagazine.com. “In this case, the FTC specifically cited the business in the areas of data masking and encryption, pointing out an overall poor and non-secure approach to data de-identification.”
Bower noted that “even the best intentioned enterprises can find themselves in regulatory hot water if data security approaches don't meet industry best practices” and encouraged firms “looking to encrypt, tokenize or mask data with proprietary and unproven technology or products” to use the action as a lesson that they “could face similar scrutiny” and to “take data security very seriously.”