The Department of Justice issued a press release detailing Jelly Bean Communications Design's settlement to resolve an allegation of False Claims in Florida.
Jelly Bean Communications Design (Jelly Bean) is a design firm based in Tallahassee, Florida, specializing in web design, branding, and programming.
In 2013, The Florida Healthy Kids Corporation (FHKC) contracted Jelly Bean for its hosting, website design, and programming services. FHKC is a Florida-created organization designed to provide health and dental insurance for children in the state, receiving both state and federal funds through Medicaid.
FHKC contracted with Jelly Bean under the assurance that Jelly Bean's website for FKHC would be HIPAA compliant, a compliance process that required Jelly Bean to create the necessary code for data protection.
While Jelly Bean maintained and hosted the site for FHKC from 2013 to 2020, assisting hundreds of thousands of families in enrolling in insurance policies, they failed to maintain HIPAA compliance. In 2020, FHKC released a statement revealing that approximately 500,000 insurance applications had been hacked, potentially exposing personal data, including social security numbers, home addresses, and more.
The Department of Health and Human Services (HHS) filed a lawsuit against Jelly Bean for violations of HIPAA, which included outdated software. The website portal was also shut down.
Jelly Bean ultimately settled the case for $293,771 rather than go to trial.
Read more: False Claims Act liability for HIPAA compliance and security failures
According to United States Attorney Roger Handberg, "This settlement demonstrates the commitment by my office and our partners to use every available tool to protect Americans' health care data."
The HHS also reinforced the diligence necessary to protect personal health information on websites, with Special Agent in Charge Omar Perez Aybar stating, "It is unacceptable for an organization to fail to do the due diligence to keep software applications updated and secure and thereby compromise the data of thousands of children."
It is common for government entities to contract with outside companies to complete projects. Even though Jelly Bean is a small operation with only one employee, they are still held to the same standards of HIPAA compliance.
Jelly Bean was filed against using the False Claim Act, a statute that, according to the Department of Justice, states any person who "knowingly submitted false claims to the government [is] liable for double government's damages plus a penalty of $2,000 for each false claim." By signing the contract and then failing to maintain HIPAA compliance, Jelly Bean knowingly defrauded government citizens.
Furthermore, Deputy Attorney General Lisa O. Monaco announced the department is cracking down on fraud with the creation of the Department's Civil Cyber-Fraud Initiative, which hopes to hold entities accountable for failures in cybersecurity. In her announcement, she said, "For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it."
While Jelly Bean shows one of the most recent uses of the False Claims Act, it's unlikely to be the last now that the government is following through with its plans to end cyber-fraud.
Government contractors should remain diligent in following HIPAA best practices to avoid damages and penalties alongside the release of government-protected information.
Related: HIPAA Compliant Email: The Definitive Guide