Florida-based Jelly Bean Communications Design has been fined $293,771 following a hacking incident that exposed the personal information of thousands of minors. Hackers gained access to 500,000 insurance applications for low-cost health and dental insurance for children aged between 5 and 18 in 2020.
The state of Florida contracted Jelly Bean in 2013 to manage the healthykids.org website for the Florida Healthy Kids Corporation. The company’s co-owner, manager, and sole employee, Jeremy Spinks, has also been named in the civil litigation, which was brought by the US federal government.
The settlement is part of the Department of Justice’s Civil Cyber-Fraud Initiative, launched in October 2021, which targets federal contractors who fail to adhere to required cybersecurity standards. The effort was launched by Deputy Attorney General Lisa O. Monaco.
Additionally, allegations against Jelly Bean include that Spinks submitted false claims, which led the Justice Department to investigate the company’s HIPAA compliance program.
The breach notification in February 2021 revealed that the incident had resulted in a large number of applicants’ addresses being inappropriately accessed and altered.
Among the data potentially exposed were Social Security numbers, financial data of parents, email and physical addresses.
An investigation by Florida Healthy Kids Corp. discovered outdated and vulnerable applications on the website’s back end, including software not updated or patched since November 2013.
Regulatory attorney Paul Hales of Hales Law warned that vendors handling PHI without a robust HIPAA compliance program could face federal fraud and False Claim Act charges. Jelly Bean no longer performs work on any government programs or for healthcare-related purposes, according to the Justice Department, and the company did not respond to requests for comment. Jeremy Spinks also declined to comment on the settlement or the prosecutors’ allegations.
