Jelly Bean Communications Design and its Manager Settle False Claims Act Liability for Cybersecurity Failures on Florida Medicaid Enrollment Website

Source: United States Department of Justice News

Jelly Bean Communications Design LLC (Jelly Bean) and Jeremy Spinks have agreed to pay $293,771 to resolve False Claims Act allegations that they failed to secure personal information on a federally funded Florida children’s health insurance website, which Jelly Bean created, hosted, and maintained.

“Government contractors responsible for handling personal information must ensure that such information is appropriately protected,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will use the False Claims Act to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.”

The Florida Healthy Kids Corporation (FHKC) is a state-created entity that offers health and dental insurance for Florida children ages five through 18. FHKC receives federal Medicaid funds as well as state funds to provide children’s health insurance programs. On Oct. 31, 2013, FHKC contracted with Jelly Bean for “website design, programming and hosting services.” The agreement required that Jelly Bean provide a fully functional hosting environment that complied with the protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996, and Jelly Bean agreed to adapt, modify, and create the necessary code on the webserver to support the secure communication of data. Jeremy Spinks, the company’s manager, 50% owner, and sole employee, signed the agreement. Under its contracts with FHKC, between 2013 and 2020, Jelly Bean created, hosted, and maintained the website HealthyKids.org for FHKC, including the online application into which parents and others entered data to apply for state Medicaid insurance coverage for children.

The settlement announced today resolves allegations that from January 1, 2014, through Dec. 14, 2020, contrary to its representations in agreements and invoices, Jelly Bean did not provide secure hosting of applicants’ personal information and instead knowingly failed to properly maintain, patch, and update the software systems underlying HealthyKids.org and its related websites, leaving the site and the data Jelly Bean collected from applicants vulnerable to attack. In or around early December 2020, more than 500,000 applications submitted on HealthyKids.org were revealed to have been hacked, potentially exposing the applicants’ personal identifying information and other data. The United States alleged that Jelly Bean was running multiple outdated and vulnerable applications, including some software that Jelly Bean had not updated or patched since November 2013. In response to this data breach and Jelly Bean’s cybersecurity failures, FHKC shut down the website’s application portal in December 2020.  

“Safeguarding patients’ medical and other personal information is paramount,” said U.S. Attorney Roger Handberg for the Middle District of Florida. “This settlement demonstrates the commitment by my office and our partners to use every available tool to protect Americans’ health care data.”

“Companies have a fundamental responsibility to protect the personal information of their website users. It is unacceptable for an organization to fail to do the due diligence to keep software applications updated and secure and thereby compromise the data of thousands of children,” said Special Agent in Charge Omar Pérez Aybar of the Department of Health and Human Services, Office of Inspector General (HHS-OIG). “HHS-OIG will continue to work with our federal and state partners to ensure that enrollees can rely on their health care providers to safeguard their personal information.”

On Oct. 6, 2021, the Deputy Attorney General announced the Department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here.

The resolution obtained in this matter was the result of a coordinated effort between the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section, and the U.S Attorney’s Office for the Middle District of Florida, with assistance from HHS-OIG.

The matter was handled by Trial Attorney Michael Hoffman and Assistant U.S. Attorney Jeremy Bloor.

The claims resolved by the settlement are allegations only. There has been no determination of liability.