The US Department of Justice has accepted a settlement in response to accusations of False Claims Act violations against Jelly Bean Communications Design LLC and its manager, Jeremy Spinks, for failing to uphold HIPAA-guarded data.
The Agency for Health Care Administration in Florida acquired services from FHKC on July 1, 2012, to implement technical safeguards for the State Children’s Health Insurance Plan Program. This safeguarding would ensure the confidentiality, integrity, and availability of electronically protected health information received, maintained, or transmitted on behalf of AHCA.
Jeremy Spinks is the manager and sole employee of Jelly Bean Communications Design, a Tallahassee, FL-based business. They offer web hosting services to customers, including the Florida Healthy Kids Corporation (FHKC). This organization, created by the state, provides health and dental coverage to Florida children aged 5-18 and is financially supported by Medicaid and other state funds.
The Court Decision on the Florida Children’s Health Insurance Website
On October 13, 2013, FHKC contracted Jelly Bean Communications Design for web design, programming, and hosting services. The agreement required Jelly Bean Communications Design to offer a hosting environment compliant with the HIPAA Security Rule and to create a secure code for communicating HIPAA-protected data. FHKC renewed the contract through 2020, with the federal government covering 86% of the payments to Jelly Bean Communications Design.
During the period of 2013 to 2020, Jelly Bean Communications Design developed an online application system that gathered information given by parents and other individuals when they submitted applications for their children’s Medicaid insurance coverage. They then presented FHKC with invoices for their services, which included “HIPAA-compliant hosting” and a regular fee for hosting responsibilities and other duties.
In December 2020, it became evident that the HealthyKids.org website had been compromised, leading to the unauthorized access of personal information submitted through the website by over 500,000 individuals. FHKC conducted a review and discovered that the website had numerous outdated and insecure applications and had not been updated since November 2013.
Moreover, there was no record of who had accessed the personal data of applicants. The data that was exposed included names, birth dates, emails, phone numbers, addresses, Social Security numbers, financial data, family relationship information, and secondary insurance information. As a result of the cyber security breaches, FHKC shut down the application portal in December 2020.
In a civil litigation case, Jelly Bean Communications Design and Jeremy Spinks were accused of not adhering to cybersecurity standards and providing false information about data protection. As a business associate under HIPAA, the action was brought under the 2021 Civil Cyber-Fraud Initiative of the Department of Justice’s False Claims Act.
“Companies have a fundamental responsibility to protect the personal information of their website users. It is unacceptable for an organization to fail to compromise the data of thousands of children, HHS-OIG will continue to work with our federal and state partners to ensure that enrollees can rely on their healthcare providers to safeguard their personal information.”
Special Agent in Charge Omar Pérez Aybar of the Department of Health and Human Services, Office of Inspector General (HHS-OIG).
This initiative was launched to investigate government contractors and grant recipients who commit cyber-fraud and was a collective effort of the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section, and the U.S Attorney’s Office for the Middle District of Florida, with additional aid from HHS-OIG.
Jelly Bean Communications Design and Jeremy Spinks accepted a settlement of $293,771, with $130,565.00 of that sum designated as restitution. This agreement was reached to forgo the time-consuming and costly process of litigation, with no one admitting to any liability or wrongdoing and the United States not conceding that their allegations were unfounded.
