The Federal Trade Commission (FTC) announced on January 5, 2016, that it has agreed to settle an investigation with Henry Schein Practice Solutions, Inc. (Schein), an office management software provider for dental practices based in Utah, for $250,000 for allegations of falsely advertising the level of encryption it provided for patient data.
The FTC alleged that Schein marketed its Dentrix G5 software by touting that it provided industry-standard encryption and that by using the software, the practice would comply with HIPAA. It further alleged that Schein was aware that the encryption standards that it used did not meet the NIST recommended standard (Advanced Encryption Standard), which meets HIPAA regulatory requirements, which violated Section 5 of the FTC Act. The advertisement of HIPAA compliance was included in marketing materials and brochures.
In addition to the payment of $250,000 to the FTC, Schein must stop misleading customers about its encryption as being “industry-standard,” and in the next 60 days must notify all of its customers who purchased and use Dentrix G5 that the product does not provide industry-standard encryption. According to the FTC, this was the first settlement involving marketing claims specifically related to data security. The settlement is open for comment until February 4, 2016.
This settlement is interesting because it shows that the FTC is continuing to expand its enforcement over data security, but in this case, it concentrated on the false advertising of the company with respect to data security. We predict that the FTC will continue to expand its enforcement over data security, and this is a stark reminder to software companies (and others) to be careful when advertising its products’ capabilities.