Settlement Agreed with Florida Youngsters’s Well being Insurance coverage Web site Contractor to Resolve False Claims Act Allegations

Posted By HIPAA Journal on Mar 15, 2023

The US Division of Justice has agreed to settle alleged False Claims Act violations with Jelly Bean Communications Design LLC and supervisor Jeremy Spinks associated to the failure to guard HIPAA-covered knowledge.

Jelly Bean Communications Design is a Tallahassee, FL-based firm co-owned by Jeremy Spinks, who’s the corporate’s supervisor and sole worker. The corporate offers website hosting features and providers for its purchasers, one among which was the Florida Wholesome Youngsters Company (FHKC). FHKC is a state-created entity that gives well being and dental insurance coverage to kids in Florida between the ages of 5 and 18. FHKC receives Medicaid funds and state funds for offering medical insurance packages for kids in Florida.

On July 1, 2012, the Company for Well being Care Administration (AHCA) in Florida contracted with FHKC to offer providers for the State Youngsters’s Well being Insurance coverage Plan (SCHIP) Program, which included implementing technical safeguards to make sure the confidentiality, integrity, and availability of the digital protected well being data that was acquired, maintained, or transmitted on behalf of AHCA. FHKC contracted with Jelly Bean Communications Design on October 13, 2013, to offer internet design, programming, and internet hosting providers. Below that contract, Jelly Bean Communications Design was required to offer a completely functioning internet hosting setting that complied with the requirements of the HIPAA Safety Rule, thus requiring Jelly Bean Communications Design to create applicable code to make sure the safe communication of HIPAA-protected knowledge. The contract was renewed by FHKC by way of 2020, with the federal authorities overlaying 86% of the funds to Jelly Bean Communications Design.

Between 2013 and 2020, the net utility system created by Jelly Bean Communications Design collected knowledge from dad and mom and different people that had been supplied when submitting purposes for Medicaid insurance coverage protection for kids. Jelly Bean Communications Design issued invoices to FHKC for its providers, which included “HIPAA-compliant internet hosting” and a month-to-month retainer payment for internet hosting and different duties.

Get The HIPAA
Compliance Guidelines

Free and Instant Obtain

Delivered by way of electronic mail so please make sure you enter your electronic mail handle accurately.

Your Privateness Revered

HIPAA Journal Privacy Policy

In early December 2020, it turned clear that the web site had been hacked and unauthorized people accessed the appliance knowledge of greater than 500,000 people submitted by way of the HealthyKids.org web site. FHKC initiated an investigation that exposed hackers had altered purposes permitting knowledge to be stolen. The evaluate of the web site discovered a number of outdated and weak purposes and the web site had not been patched since November 2013. Additional, the web site didn’t keep audit logs displaying who had accessed the non-public data of candidates. The forms of data compromised included names, dates of beginning, electronic mail addresses, phone numbers, addresses, Social Safety numbers, monetary data, household relationship data, and secondary insurance coverage data. The applying portal was shut down by FHKC in December 2020 in response to the cybersecurity failures.

The civil litigation alleged that Jelly Bean Communications Design and Jeremy Spinks did not comply with cybersecurity requirements ensuing within the publicity of delicate HIPAA-covered knowledge whereas submitting false claims that knowledge could be safeguarded, whereas knowingly failing to correctly keep, patch, and replace software program programs. Whereas Jelly Bean Communications Design acted as a enterprise affiliate below HIPAA, the motion was taken over violations of the False Claims Act below the Division of Justice’s 2021 Civil Cyber-Fraud Initiative. The Civil Cyber-Fraud Initiative makes use of the False Claims Act to pursue cybersecurity-related fraud by authorities contractors and grant recipients, and was the results of a coordinated effort by the Justice Division’s Civil Division, Business Litigation Department, Fraud Part, and the U.S Legal professional’s Workplace for the Center District of Florida, with help supplied by HHS-OIG.

The claims had been settled by Jelly Bean Communications Design and Jeremy Spinks, who agreed to pay $293,771 to resolve the allegations, of which $130,565.00 is restitution. The settlement was agreed to keep away from the delay, uncertainty, inconvenience, and expense of protracted litigation, with no admission of legal responsibility or wrongdoing and no concession by the US that its claims weren’t nicely based.

“Corporations have a basic accountability to guard the non-public data of their web site customers. It’s unacceptable for a corporation to fail to do the due diligence to maintain software program purposes up to date and safe and thereby compromise the info of hundreds of youngsters,” stated Particular Agent in Cost Omar Pérez Aybar of the Division of Well being and Human Providers, Workplace of Inspector Basic (HHS-OIG). “HHS-OIG will proceed to work with our federal and state companions to make sure that enrollees can depend on their well being care suppliers to safeguard their private data.”