FTC Fines Software Maker over False Data Encryption Claims
Software vendor lies about encryption, gets big-time fine
The US Federal Trade Commission (FTC) has fined a software vendor for lying about its product's encryption capabilities, despite being publicly warned by US Computer Emergency Readiness Team (CERT) not to do so.
In 2012, software vendor Henry Schein released Dentrix G5, a powerful piece of software for helping dentists manage their day-to-day operations.
In the software's brochure, Henry Schein said the following: "The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards."
The software vendor was lying through its teeth
The HIPAA (Health Insurance Portability and Accountability Act) security standards say that data should be encrypted with top-grade encryption algorithms like AES (Advanced Encryption Standard) and higher. HIPAA also claims that a company that has lost a laptop containing medical information is exempted from reporting a data breach incident to law authorities if the medical data was encrypted (with AES and higher).
As US-CERT learned in 2013, Henry Schein's Gentrix G5 did not use minimal HIPAA encryption levels, despite saying so in its brochures, online website, newspaper interviews, and newsletters.
The US-CERT team issued a public vulnerability note in June 2013, warning Henry Schein customers of the lack of proper encryption in its product. The warning also addressed an issue with a similar software product sold by Faircom, another software maker.
According to CERT, both companies used DES (Data Encryption Standard) to secure data. DES is an outdated symmetric-key method of data encryption.
Henry Schein continued to sell the product using false advertising
Despite the CERT warning, Henry Schein continued to sell the Gentrix G5 software for another year, until January 2014, claiming to have powerful encryption, compliant with HIPAA security standards.
Additionally, after the US-CERT warning, the company also failed to inform prior buyers that the software was not actually HIPAA compliant.
As the FTC started an investigation, after January 2014, Henry Schein changed its promotional materials, replacing "data encryption" to "data camouflage."
On January 5, 2015, the FTC reached a settlement with Henry Schein, fining the company $250,000 / €228,000. Henry Schein will also have to inform prior clients of its deceptive advertising, which will probably result in charge-backs and some extra lawsuits.
Here are some other false claims made by Henry Schein (there are many more):
"The SQL database also offers improved protection by storing customer data in an encrypted format. With ever-increasing data protection regulations, Dentrix G5 provides an important line of defense for both patient and practitioner," via the company's newsletter.
"With medical professionals under strict regulatory obligations to protect their patients’ personal health information, the new Dentrix G5 database provides an important line of defense for both patient and practitioner," statements to the Dentrix Magazine.