A Florida company has agreed to pay nearly $300,000 to resolve allegations that it failed to secure personal information for a Florida children’s health insurance website that was hacked in 2020 for the data of 500,000 people.
On Tuesday, March 14, the U.S. Attorney’s Office for the Middle District of Florida announced that Jelly Bean Communications Design, LLC and its owner Jeremy Spinks have agreed to settle the claims for $293,771.
According to court records, the Florida Healthy Kids Corporation (FHKC) contracted Jelly Bean for website design, programming, and hosting services on October 31, 2013.
The FHKC is a state-created entity that offers health and dental insurance for Florida children between the ages of 5 and 18. The organization receives federal Medicaid funds and state funds to provide children’s health insurance programs.
The agreement required that Jelly Bean provide a fully functional hosting environment that complied with the protections for personal information required by the Health Insurance Portability and Accountability Act of 1996.
Jelly Bean, which was partially owned and operated by Spinks as the sole employee, agreed to adapt, modify, and create the necessary code on the webserver to support the secure communication of data as part of the agreement.
Between 2013 and 2020, Spinks created, hosted, and maintained HealthyKids.org for FHKC. As part of the website, Spinks created an online application through which parents and others entered data to apply for state Medicaid insurance coverage for children.
In early December 2020, more than 500,000 applications submitted through the website were revealed to have been hacked, potentially exposing the applicants’ personal identifying information and other data. The United States federal government alleged that Jelly bean was running multiple, outdated and vulnerable applications, including some software that had not been updated or patched since November 2013.
In response to the data breach and Jelly Bean’s cybersecurity failures, the website’s application portal was shut down in December 2020.
“Safeguarding patients’ medical and other personal information is paramount,” said U.S. Attorney Roger Handberg for the Middle District of Florida. “This settlement demonstrates the commitment by my office and our partners to use every available tool to protect Americans’ health care data.”