FTC plans $250K fine over deceptive encryption claims
Under a proposed consent order, the FTC alleges that for two years Henry Schein Practice Solutions Schein touted the "encryption capabilities" of its Dentrix G5 software in marketing materials. However, it used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology.
The FTC said Schein made deceptive claims that this level of encryption provides the appropriate protection to meet regulatory obligations under the HIPAA privacy rule, according to an announcement.
In addition to the fine, the company will be prohibited from misleading customers about the extent to which its products use industry-standard encryption and the extent to which its products help clients achieve regulatory compliance or protect patient information.
Schein will be required to notify all customers who bought Dentrix G5 during this two-year period and provide the FTC with ongoing reports on the notification program, according to the announcement.
Healthcare organizations that face repeated complaints for HIPAA violations rarely face consequences, ProPublica reported recently. It named the worst offenders as the U.S. Department of Veterans Affairs, Walgreens, CVS, Kaiser Permanente and Walmart.
However, a recent appeals court ruling put more power in the hands of the FTC when it comes to policing corporate cybersecurity. The ruling, by the Third U.S. Circuit Court of Appeals in Philadelphia, will allow the FTC to move forward with a lawsuit against Wyndham Worldwide Corp. in which it alleges the hotel chain was responsible for three breaches between 2000-2010 where hackers allegedly stole hundreds of thousands of credit and debit card numbers.
To learn more:
- here's the announcement
VA, Kaiser Permanente among repeat HIPAA violators that face few consequences
Connected Health 2015: Legacy systems, BYOD among top healthcare security challenges
Report: Unsecured, noncompliant messaging could spell trouble for healthcare
Health app accreditation doesn't assure security of data, user privacy