Camouflage is not encryption, FTC warns software company

The Federal Trade Commission (FTC) entered into a $250,00 settlement agreement with a software company that allegedly misled dental practices into believing that the software it sold was encrypted sufficiently to protect it from data breaches and otherwise safeguard protected health information (PHI) in accordance with the Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191). Henry Schein Practice Solutions, Inc. (Schein) continued to mislead practices, even after the National Institute of Standards and Technology (NIST) issued a vulnerability alert referring to the software as a mere “weak obfuscation algorithm” and noting that the vendor agreed to rebrand the software as “Data Camouflage.” Pursuant to the agreement, Schein is prohibited from misleading customers as to the extent of its encryption and its ability to meet regulatory obligations. It will also be required to notify all customers who purchased Dentrix G5 software during the affected time period that the product does not provide industry-standard encryption and update the FTC regarding the process.

Encryption

Encryption is an algorithmic process that transforms data, essentially making it appear meaningless without the application of a key or other confidential process (45 C.F.R. sec. 164.304). HHS suggests that HIPAA covered entities and business associates refer to NIST guidance regarding encryption technology; NIST Special Publication 800-111 recommends the use of the Advanced Encryption Standard (AES). The FTC alleges that Schein misled customers into believing that its software met industry standards and was useful in protecting patient data in accordance with HIPAA.

Ramifications

In addition to causing dental practices to believe that their PHI was safe, the FTC argued that the advertising could cause practices to believe that they were not required to report certain data breaches to affected individuals or the HHS Office for Civil Rights, since the HIPAA Breach Notification Rule, (45 C.F.R. Secs. 164.400-414) includes a “safe harbor” with respect to information encrypted consistent with NIST Special Publication 800-111. Even those practices that chose to report breaches might incorrectly advise those affected that their information was safe due to encryption.