Feds Fine Web Hosting Firm in Kids Insurance Site HackDOJ: Vendor Failed to Patch, Secure Systems for 7 Years
A Florida company will pay nearly $300,000 to settle allegations stemming from a 2020 hacking incident that revealed the personal identifying information of hundreds of thousands of minors. The settlement with Jelly Bean Communications Design is part of a federal crackdown on lax cybersecurity.
The $293,771 settlement resolves civil litigation initiated by the federal government against Jelly Bean Communications Design and Jeremy Spinks - the company's co-owner, manager and sole employee - after hackers gained access to half a million insurance applications for low-cost health and dental insurance for children aged between 5 and 18.
The Jelly Bean settlement is part of the Department of Justice's Civil Cyber-Fraud Initiative launched in October 2021.
The effort targets federal contractors "when they fail to follow required cybersecurity standards," Deputy Attorney General Lisa O. Monaco said at the time.
The state of Florida contracted with Jelly Bean in 2013 to manage the healthykids.org website for the Florida Healthy Kids Corp., the state-created entity that runs the national Children's Health Insurance Program through a combination of federal and state money.
The settlement comes from allegations that Spinks submitted false claims - the falsity being that Jelly Bean asserted it would safeguard data covered by HIPAA.
Jelly Bean "knowingly failed to properly maintain, patch, and update the software systems, leaving the HealthyKids.org site and its data vulnerable to attack," the Justice Department says.
"Billing for HIPAA compliant services exposed Jelly Bean to federal criminal liability," said regulatory attorney Paul Hales of Hales Law. "Vendors handling PHI without a robust HIPAA compliance program in place should beware and be very careful. Now we see they might face federal fraud and False Claim Act charges."
A February 2021 breach notification said a large number of applicants' addresses had been inappropriately accessed and altered in the incident (see: Kids' Health Insurer's Website Vulnerable for 7 Years).
Among the data potentially exposed were Social Security numbers, financial data of parents - including wages, alimony and child support - and email and physical addresses.
An investigation by Florida Healthy Kids Corp. found a number of outdated and vulnerable applications on the website's back end, including software not updated or patched since November 2013.
Reached by phone, Jeremy Spinks declined Information Security Media Group's request for comment on the settlement and prosecutors' allegations. He wouldn't comment on whether he's still involved with Jelly Bean operations.
The company did not immediately respond to ISMG's request for comment on the settlement. The Justice Department says the company no longer performs work on any government programs or for health care-related purposes.