Henry Schein Practice Solutions, Inc., a provider of office management software for dental practices, agreed to pay $ 250,000 to the Federal Trade Commission (FTC) to settle charges that Schein lied to consumers about the level of encryption its product provides. The charges specifically address the level of security offered by Schein’s Dentrix G5 software, an office and data management tool that was marketed to address the day-to-day operations of a dental office including database storage of patient records. The software, originally launched in 2012, was marketed as offering encryption capabilities that would help a practice meet HIPAA security requirements.
In contradiction to Schein’s statements to consumers, Dentrix G5 did not use the National Institute of Standards and Technology (NIST) industry standard Advanced Encryption Standard (AES) security. Schein was aware that its product used a less complicated data encryption method and continued to explicitly promote the software’s data encryption capabilities and claimed that the software met “data protection regulations” in marketing material, the FTC alleged in its complaint.
The U.S. Computer Emergency Readiness Team (US-CERT) issued a warning in 2013 about the data encryption method Schein used in its software. Dentrix G5 used Faircom c-tree-ACE which offers a weak level of obfuscation. The algorithm used in this method was called Faircom Standard Encryption, but the name was changed to Data Camouflage to distinguish it from standard encryption algorithms. Faircom describes their Data Camouflage as a supplement to existing security and not a replacement for other security systems. US-CERT notified Schein of this vulnerability on June 10, 2013.
Schein is required by the consent agreement to notify all customers who purchased Dentrix G5 that the software does not offer industry-standard encryption. Schein agreed to provide the FTC with ongoing progress reports on its notification program, and is prohibited from using false advertising to mislead consumers about its products’ data encryption and security capabilities.
The FTC published a description of the consent agreement in the Federal Register. The consent agreement is open for public comment for 30 days. The FTC will then decide whether to make the consent agreement final. The deadline for public comments is February 4.