July 3, 2023
The Department of Justice (DOJ) recently announced a civil cyber-fraud settlement by Jelly Bean Communications Design LLC (Jelly Bean) and its manager, Jeremy Spinks. Jelly Bean and Spinks will pay $293,771 to resolve allegations related to their failure to secure government insurance recipients’ personal health information. This settlement was reported in conjunction with the DOJ’s Civil Cyber Fraud-Initiative. The case involved a federally funded Florida children’s health insurance website which Jelly bean, created, maintained, and hosted.
The Florida Healthy Kids Corporation (FHKC) is a state-created entity that offers health and dental insurance for Florida children. FHKC receives state and federal Medicaid funds to support its programs. In 2013, FHKC contracted Jelly Bean for website design, programming, and hosting services. The agreement required Jelly Bean to comply with the protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Jelly Bean agreed to create a secure hosting environment and support the secure communication of data.
According to the DOJ, Jelly Bean failed to provide secure hosting and maintain, patch, and update the software systems underlying the FHKC website HealthyKids.org. In December 2020, hackers accessed over 500,000 applications on HealthyKids.org. The government claimed this unauthorized access was a result of Jelly Bean’s inadequate cybersecurity. The breach exposed applicants’ personal identifying information and other data. The breach also prompted FHKC to shut down its application portal in December 2020. Subsequently, an investigation uncovered that Jelly Bean was running multiple outdated and vulnerable applications. Some software had not been updated or patched since November 2013.
The DOJ created the Civil Cyber-Fraud Initiative in 2021. The purpose of the initiative is to hold accountable those who put U.S. information or systems at risk through deficient cybersecurity practices. This initiative reinforces the government’s commitment to address cybersecurity lapses and protect sensitive data. Contractors must prioritize the protection of personal information and comply with cybersecurity obligations or face the consequences.
In announcing the settlement, Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division said:
“Government contractors responsible for handling personal information must ensure that such information is appropriately protected. We will use the False Claims Act to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.”
If you are aware that a government contractor has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, we urge you to contact us. Our attorneys include several former federal prosecutors with experience safeguarding sensitive government information. We can discuss your concerns in a confidential and secure setting. We can also advise you on the best options to prevent critical information and data from falling into the wrong hands.