Website company to pay nearly $300,000 for failing to secure children's personal data

March 14 (UPI) -- A website management company has agreed to pay nearly $300,000 for failing to secure personal information on a federally funded Florida children's health insurance website.

The Justice Department announced the $293,771 settlement Tuesday, resolving False Claims Act allegations against Jelly Bean Communications Design and the company's manager, Jeremy Spinks.


"Government contractors responsible for handling personal information must ensure that such information is appropriately protected," Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department's civil division, said in a statement. "We will use the False Claims Act to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk."

Florida Healthy Kids Corporation, which is a state-created entity and offers health and dental insurance for children ages five through 18, contracted with Jelly Bean in 2013 for "website design, programming, and hosting services." The agreement, signed by Spinks, said the website would comply with all protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996.

"Companies have a fundamental responsibility to protect the personal information of their website users," said Special Agent in Charge Omar Pérez Aybar of the Department of Health and Human Services, Office of Inspector General.


The website, called for FHKC, provided an online application for parents to enter data and apply for state Medicaid insurance coverage for their children.

Between 2014 and 2020, the Justice Department said Jelly Bean failed to provide secure hosting of the applicants' personal information, while also failing to update software systems that left the site and data vulnerable to attack.

FHKC was forced to shut down the website's application portal in December 2020 after a data breach exposed the personal data of more than 500,000 applications.

The following year, the Deputy Attorney General announced the Department's Civil Cyber-Fraud Initiative. The initiative holds companies and individuals accountable for putting U.S information or systems at risk by knowingly providing deficient cybersecurity services or failing to monitor and report cybersecurity breaches.

"Safeguarding patients' medical and other personal information is paramount," said U.S. Attorney Roger Handberg for the Middle District of Florida. "This settlement demonstrates the commitment by my office and our partners to use every available tool to protect Americans' health care data."

Latest Headlines