A Utah-based dental-practice software vendor will pay $250,000 to the Federal Trade Commission to settle charges that it falsely advertised the level of encryption it provided.
Under a proposed consent order, the FTC alleges that for two years Henry Schein Practice Solutions Schein touted the "encryption capabilities" of its Dentrix G5 software in marketing materials. However, it used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology.
The FTC said Schein made deceptive claims that this level of encryption provides the appropriate protection to meet regulatory obligations under the HIPAA privacy rule, according to an announcement.
In addition to the fine, the company will be prohibited from misleading customers about the extent to which its products use industry-standard encryption and the extent to which its products help clients achieve regulatory compliance or protect patient information.
Schein will be required to notify all customers who bought Dentrix G5 during this two-year period and provide the FTC with ongoing reports on the notification program, according to the announcement.
Healthcare organizations that face repeated complaints for HIPAA violations rarely face consequences, ProPublica reported recently. It named the worst offenders as the U.S. Department of Veterans Affairs, Walgreens, CVS, Kaiser Permanente and Walmart.
However, a recent appeals court ruling put more power in the hands of the FTC when it comes to policing corporate cybersecurity. The ruling, by the Third U.S. Circuit Court of Appeals in Philadelphia, will allow the FTC to move forward with a lawsuit against Wyndham Worldwide Corp. in which it alleges the hotel chain was responsible for three breaches between 2000-2010 where hackers allegedly stole hundreds of thousands of credit and debit card numbers.
To learn more:
- here's the announcement