The United States Department of Justice has agreed to settle alleged False Claims Act violations with Jelly Bean Communications Design LLC and manager Jeremy Spinks related to the failure to protect HIPAA-covered data.
Jelly Bean Communications Design is a Tallahassee, FL-based company co-owned by Jeremy Spinks, who is the company’s manager and sole employee. The company provides web hosting functions and services for its clients, one of which was the Florida Healthy Kids Corporation (FHKC). FHKC is a state-created entity that offers health and dental insurance to children in Florida between the ages of 5 and 18. FHKC receives Medicaid funds and state funds for providing health insurance programs for children in Florida.
On July 1, 2012, the Agency for Health Care Administration (AHCA) in Florida contracted with FHKC to provide services for the State Children’s Health Insurance Plan (SCHIP) Program, which included implementing technical safeguards to ensure the confidentiality, integrity, and availability of the electronic protected health information that was received, maintained, or transmitted on behalf of AHCA. FHKC contracted with Jelly Bean Communications Design on October 13, 2013, to provide web design, programming, and hosting services. Under that contract, Jelly Bean Communications Design was required to provide a fully functioning hosting environment that complied with the standards of the HIPAA Security Rule, thus requiring Jelly Bean Communications Design to create appropriate code to ensure the secure communication of HIPAA-protected data. The contract was renewed by FHKC through 2020, with the federal government covering 86% of the payments to Jelly Bean Communications Design.
Between 2013 and 2020, the online application system created by Jelly Bean Communications Design collected data from parents and other individuals that were provided when submitting applications for Medicaid insurance coverage for children. Jelly Bean Communications Design issued invoices to FHKC for its services, which included “HIPAA-compliant hosting” and a monthly retainer fee for hosting and other tasks.
In early December 2020, it became clear that the website had been hacked and unauthorized individuals accessed the application data of more than 500,000 individuals submitted through the HealthyKids.org website. FHKC initiated an investigation that revealed hackers had altered applications allowing data to be stolen. The review of the website found multiple outdated and vulnerable applications and the website had not been patched since November 2013. Further, the website did not maintain audit logs showing who had accessed the personal information of applicants. The types of information compromised included names, dates of birth, email addresses, telephone numbers, addresses, Social Security numbers, financial information, family relationship information, and secondary insurance information. The application portal was shut down by FHKC in December 2020 in response to the cybersecurity failures.
The civil litigation alleged that Jelly Bean Communications Design and Jeremy Spinks failed to follow cybersecurity standards resulting in the exposure of sensitive HIPAA-covered data while submitting false claims that data would be safeguarded, while knowingly failing to properly maintain, patch, and update software systems. While Jelly Bean Communications Design acted as a business associate under HIPAA, the action was taken over violations of the False Claims Act under the Department of Justice’s 2021 Civil Cyber-Fraud Initiative. The Civil Cyber-Fraud Initiative utilizes the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients, and was the result of a coordinated effort by the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section, and the U.S Attorney’s Office for the Middle District of Florida, with assistance provided by HHS-OIG.
The claims were settled by Jelly Bean Communications Design and Jeremy Spinks, who agreed to pay $293,771 to resolve the allegations, of which $130,565.00 is restitution. The settlement was agreed to avoid the delay, uncertainty, inconvenience, and expense of protracted litigation, with no admission of liability or wrongdoing and no concession by the United States that its claims were not well founded.
“Companies have a fundamental responsibility to protect the personal information of their website users. It is unacceptable for an organization to fail to do the due diligence to keep software applications updated and secure and thereby compromise the data of thousands of children,” said Special Agent in Charge Omar Pérez Aybar of the Department of Health and Human Services, Office of Inspector General (HHS-OIG). “HHS-OIG will continue to work with our federal and state partners to ensure that enrollees can rely on their health care providers to safeguard their personal information.”
The post Settlement Agreed with Florida Children’s Health Insurance Website Contractor to Resolve False Claims Act Allegations appeared first on HIPAA Journal.