HIPAA/HITECH , Standards, Regulations & Compliance

Feds Fine Web Hosting Firm in Kids Insurance Site Hack

DOJ: Vendor Failed to Patch, Secure Systems for 7 Years
Feds Fine Web Hosting Firm in Kids Insurance Site Hack
Federal prosecutors say Jelly Bean Communications Design failed to secure the Florida Healthy Kids website for kids' medical and dental insurance.

A Florida company will pay nearly $300,000 to settle allegations stemming from a 2020 hacking incident that revealed the personal identifying information of hundreds of thousands of minors. The settlement with Jelly Bean Communications Design is part of a federal crackdown on lax cybersecurity.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

The $293,771 settlement resolves civil litigation initiated by the federal government against Jelly Bean Communications Design and Jeremy Spinks - the company's co-owner, manager and sole employee - after hackers gained access to half a million insurance applications for low-cost health and dental insurance for children aged between 5 and 18.

The Jelly Bean settlement is part of the Department of Justice's Civil Cyber-Fraud Initiative launched in October 2021.

The effort targets federal contractors "when they fail to follow required cybersecurity standards," Deputy Attorney General Lisa O. Monaco said at the time.

The state of Florida contracted with Jelly Bean in 2013 to manage the healthykids.org website for the Florida Healthy Kids Corp., the state-created entity that runs the national Children's Health Insurance Program through a combination of federal and state money.

The settlement comes from allegations that Spinks submitted false claims - the falsity being that Jelly Bean asserted it would safeguard data covered by HIPAA.

Jelly Bean "knowingly failed to properly maintain, patch, and update the software systems, leaving the HealthyKids.org site and its data vulnerable to attack," the Justice Department says.

"Billing for HIPAA compliant services exposed Jelly Bean to federal criminal liability," said regulatory attorney Paul Hales of Hales Law. "Vendors handling PHI without a robust HIPAA compliance program in place should beware and be very careful. Now we see they might face federal fraud and False Claim Act charges."

A February 2021 breach notification said a large number of applicants' addresses had been inappropriately accessed and altered in the incident (see: Kids' Health Insurer's Website Vulnerable for 7 Years).

Among the data potentially exposed were Social Security numbers, financial data of parents - including wages, alimony and child support - and email and physical addresses.

An investigation by Florida Healthy Kids Corp. found a number of outdated and vulnerable applications on the website's back end, including software not updated or patched since November 2013.

Reached by phone, Jeremy Spinks declined Information Security Media Group's request for comment on the settlement and prosecutors' allegations. He wouldn't comment on whether he's still involved with Jelly Bean operations.

The company did not immediately respond to ISMG's request for comment on the settlement. The Justice Department says the company no longer performs work on any government programs or for health care-related purposes.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.