Getty Images/iStockphoto

FL Children’s Health Insurance Site Contractor Pays Fine to Resolve False Claims Act Allegations

Jelly Bean Communications Design agreed to pay nearly $300K to resolve False Claims Act allegations that it failed to secure personal information stored on a federally funded Florida children’s health insurance website.

Jelly Bean Communications Design LLC, a Florida-based design firm, agreed to pay $293,771 to resolve False Claims Act allegations related to cybersecurity failures, the Department of Justice (DOJ) announced.

In 2013, Jelly Bean was contracted to create, host, and maintain the website of a the Florida Health Kids Corporation (FHKC), a federally funded Florida children’s health insurance provider. Jelly Bean agreed to create the website in compliance with HIPAA privacy and security protections, and the federal government funded 86 percent of the payments made from FHKC to Jelly Bean.

“The settlement announced today resolves allegations that from January 1, 2014, through Dec. 14, 2020, contrary to its representations in agreements and invoices, Jelly Bean did not provide secure hosting of applicants’ personal information and instead knowingly failed to properly maintain, patch, and update the software systems underlying HealthyKids.org and its related websites, leaving the site and the data Jelly Bean collected from applicants vulnerable to attack,” the DOJ alleged.

In December 2020, HealthyKids.org suffered a cyberattack resulting in the exposure of more than 500,000 applications containing sensitive data. Jelly Bean was allegedly running the site using multiple outdated and vulnerable applications, including software that had not been patched since November 2013.

“Government contractors responsible for handling personal information must ensure that such information is appropriately protected,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will use the False Claims Act to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.”

Jelly Bean did not admit any wrongdoing but agreed to the settlement. Following the breach, FHKC shut down its application portal, which had been used by parents and guardians to apply for state Medicaid insurance coverage for children.

“Companies have a fundamental responsibility to protect the personal information of their website users. It is unacceptable for an organization to fail to do the due diligence to keep software applications updated and secure and thereby compromise the data of thousands of children,” said Special Agent in Charge Omar Pérez Aybar of the HHS Office of Inspector General (HHS-OIG).

“HHS-OIG will continue to work with our federal and state partners to ensure that enrollees can rely on their health care providers to safeguard their personal information.”

Next Steps

Dig Deeper on Cybersecurity strategies