The FTC’s Settlement with HSPS Reminds Software Providers the Importance of Truthful Advertising with Respect to Data Encryption

On January 5, 2016, the Federal Trade Commission (“FTC”) announced that it had reached an agreement with leading software provider, Henry Schein Practice Solutions, Inc. (“HSPS”), to settle the charges it had filed against HSPS. The charges brought by the FTC alleged, among other things, that HSPS misrepresented its dental office management program, Dentrix G5, by falsely advertising the software’s level of encryption in protecting patients’ data. In its complaint, the FTC alleges that HSPS engaged in unfair and deceptive practices for two years by falsely advertising that the Dentrix G5 software used industry-standard encryption and that it met the regulatory data security obligations as required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Dentrix G5 is software sold by HSPS to assist dentists and other professionals in performing daily office tasks such as collecting and storing patients’ personal information. Specifically, Dentrix G5 enables healthcare professionals to enter patient data, process payments, send appointment reminders, enter diagnostic information, document treatment plan and progress, and submit claims for insurance. Given the amount of sensitive data that the software collects and retains, the Dentrix G5 is subjected to the same security-related standards required by HIPAA as others in the market.

The FTC alleges that HSPS not only failed to meet these recommended security standards, but also falsely advertised the level of encryption of its Dentrix G5 software. According to the FTC, in 2012, HSPS continued to incorporate a third party database engine in its Dentrix G5 software despite being notified by the third party in November 2010 that there were security risks associated with the engine. The FTC contends that the third party vendor not only notified HSPS that the engine used an untested proprietary algorithm as a form of data protection, but also pointed out that the algorithm was less secure and more vulnerable than the “widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.” The FTC contends that despite the warnings, HSPS distributed marketing materials falsely stating the level of encryption used by the Dentrix G5 software and misled the consumers in believing that the software complied with the requirements established in HIPAA.

Although HSPS does not admit any of the allegations set forth in the FTC’s complaint by agreeing to the proposed settlement, HSPS has nevertheless emerged as the losing party in this case. Not only do the settlement terms require HSPS to pay the FTC $250,000, but they also require that HSPS notify consumers that it had previously misrepresented the security features of its software. Through this settlement, the FTC has succeeded in discouraging HSPS from engaging in false advertisement with respect to data encryption, and has set an example for other software providers. The FTC’s action against HSPS reflects the agency’s interest in ensuring that software providers continue to accurately advertise and provide adequate security measures to protect sensitive information.​ 


Deba Alam is currently a second year law student at DePaul University College of Law.  Deba is a contributing member of the E-Pulse; a Jaharis Health Law Fellow; and staff writer for DePaul’s Journal of Art, Technology, and Intellectual Property.