Jelly Bean Communications Design reached a $293,771 settlement to resolve False Claims Act allegations that it knowingly provided deficient security controls to Florida Healthy Kids Corp., which caused the second largest reported healthcare data breach of 2021.
Jelly Bean created, hosted and maintained the federally funded Florida children’s health insurance website that offers health and dental insurance for children under a state-issued contract between Oct. 31, 2013, and 2020.
A Department of Justice inquiry stemmed from the company's February 2021 breach notice to 3.5 million online applicants and enrollees, detailing a seven-year hack directly caused by Jelly Bean failing to patch multiple website vulnerabilities.
Under its agreement, Jelly Bean provided and hosted a website that was required to comply with the Health Insurance Portability and Accountability Act Security Rule, which governs protected health information. The website included the online application for applying to state Medicaid insurance coverage for children.
As such, the company agreed to “adapt, modify, and create the necessary code on the web server to support the secure communication of data.”
However, the DoJ found the company and Jeremy Spinks — Jelly Bean's manager, 50% owner and sole employee — “knowingly failed to properly maintain, patch, and update the software systems,” which left the website and patient data exposed to cyber threats.
“Government contractors responsible for handling personal information must ensure that such information is appropriately protected,” said Principal Deputy Assistant Attorney General Brian Boynton, head of the DoJ’s Civil Division, in the release.
More than 500,000 applications hacked on HealthyKids website
The allegations against Jelly Bean centered around the notice to FHKC detailing the unauthorized access to thousands of applicant addresses. The information was also tampered with through their hosted website and databases, due to “significant security flaws,” which enabled a threat actor to exploit the data beginning in November 2013.
The seven-year hack exposed the data of full patient names, dates of birth, Social Security numbers, financial information, family relationships, and secondary insurance data.
DoJ found that “contrary to its representations in agreements and invoices, Jelly Bean did not provide secure hosting of applicants’ personal information…leaving the site and the data collected from applicants vulnerable to attack.”
In total, over 500,000 applications submitted on the HealthyKids website were hacked. DoJ alleged the exposure was the direct result of Jelly Bean “running multiple outdated and vulnerable applications.” Some software had not been updated or patched since November 2013.
FHKC shut down the website’s application portal in December 2020, as a direct result of the massive hack and Jelly Bean’s cybersecurity failures.
“Companies have a fundamental responsibility to protect the personal information of their website users,” said Special Agent in Charge Omar Pérez Aybar of the Department of Health and Human Services, Office of Inspector General, in a statement.
“It’s unacceptable for an organization to fail to do the due diligence to keep software applications updated and secure and thereby compromise the data of thousands of children,” he added.
The investigation was launched into Jelly Bean under DoJ’s Civil Cyber-Fraud Initiative launched on Oct. 6, 2021. The effort targets entities or individuals that knowingly provide deficient cybersecurity products, misrepresent cyber practices or protocols, or violate obligations to monitor and report incidents and breaches.
HHS OIG intends to continue working with federal and state agencies to ensure healthcare provider organizations are safeguarding personal and protected health information.
The DoJ plans to leverage its authority under the False Claims Act to hold companies and management accountable. Boynton added, particularly “when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.”