Dental software giant Schein has agreed to spend a quarter of a million dollars for not encrypting your teeth nearly as well as it promised.
It has settled with the Federal Trade Commission for $250,000 over misleading statements about the strength of its encryption algorithms, compromising patients’ privacy.
Schein is the distributor of Dentrix G5, an industry-leading program that stores all of a dental patient’s personal information, like insurance, social security numbers, and medical records. The company advertised its program as safe, and claimed in promotional materials that it provides “new encryption capabilities that can help keep patient records safe and secure.”
But that was misleading, the FTC found. That wasn’t a default setting, and even when it was, it was pretty weak: The National Institute of Science and Technology (NIST) openly warned that the software was vulnerable. That in turn could endanger dentists, who are required to inform patients if their medical data has been compromised by hackers.
Hacks of patients medical records have exponentially increased in recent years. In March, the Department of Health and Human services counted more than 1,000 patient data breaches since 2009, with over 120 million people affected. That number surely grew in October, when Anthem, the second-largest insurer in the U.S., faced a major breach, compromising an estimated 80 million user accounts.
In a statement emailed to the Daily Dot, a spokesperson for Schein stressed that accepting a settlement is not tantamount to admitting guilt, and urged dental offices that use the company’s products to use Advanced Encryption Standard, or AES, the industry standard to protect their patients’ privacy. When pressed, the spokesperson admitted that no, Dentrix G5 still does not provide AES encryption.
Update 2:57pm CT, Jan. 6: Added comment from Schein.
Illustration by Max Fleishman