Jelly Bean Communications Design LLC (Jelly Bean) and Jeremy Spinks have agreed to pay $293,771 to resolve False Claims Act allegations. The allegations claim that while Jelly Bean created, hosted, and maintained a federally funded Florida children’s health insurance website, they failed to secure personal information. The Florida Healthy Kids Corporation (FHKC) is a state-created entity that offers health and dental insurance for Florida children ages five through 18. FHKC receives federal Medicaid funds as well as state funds to provide children’s health insurance programs.
Under its contracts with FHKC, between 2013 and 2020, Jelly Bean created, hosted, and maintained the website HealthyKids.org for FHKC, including the online application into which parents and others entered data to apply for state Medicaid insurance coverage for children. The agreement required that Jelly Bean provide a fully functional hosting environment that complied with the protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996.
The settlement resolves allegations that Jelly Bean did not provide secure hosting of applicants’ personal information from January 1, 2014, through Dec. 14, 2020. Contrary to its representations in agreements and invoices, Jelly Bean knowingly failed to properly maintain, patch, and update the software systems underlying HealthyKids.org and its related websites, leaving the site and the data Jelly Bean collected from applicants vulnerable to attack. This vulnerability led to a data breach in or around early December 2020, exposing the personal identifying information and other data of more than 500,000 applicants submitted on HealthyKids.org. The United States alleged that Jelly Bean was running multiple outdated and vulnerable applications, including some software that Jelly Bean had not updated or patched since November 2013.
“Government contractors responsible for handling personal information must ensure that such information is appropriately protected,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will use the False Claims Act to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.”
“Safeguarding patients’ medical and other personal information is paramount,” said U.S. Attorney Roger Handberg for the Middle District of Florida. “This settlement demonstrates the commitment by my office and our partners to use every available tool to protect Americans’ health care data.”
“Companies have a fundamental responsibility to protect the personal information of their website users. It is unacceptable for an organization to fail to do the due diligence to keep software applications updated and secure and thereby compromise the data of thousands of children,” said Special Agent in Charge Omar Pérez Aybar of the Department of Health and Human Services, Office of Inspector General (HHS-OIG). “HHS-OIG will continue to work with our federal and state partners to ensure that enrollees can rely on their health care providers to safeguard their personal information.”
This matter was handled by Trial Attorney Michael Hoffman and Assistant U.S. Attorney Jeremy Bloor, with assistance from HHS-OIG. The resolution obtained in this matter was the result of a coordinated effort between the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section, and the U.S Attorney’s Office for the Middle District of Florida.
On Oct. 6, 2021, the Deputy Attorney General announced the Department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here.
