Florida Web Designer Settles with DOJ on 2020 HealthyKids.org Medicaid Breach | Health Care Compliance Association (HCCA)

[author: Jane Anderson]

Report on Patient Privacy Quantity 23, Range 4. April 2023

A Florida communications business and its owner agreed to pay out $293,771 to resolve Wrong Promises Act (FCA) allegations that they unsuccessful to safe personal info on a federally funded Florida children’s well being insurance policies web-site, HealthyKids.org.

The March 14 settlement[1] versus Jelly Bean Communications Design LLC signifies the third motion in the U.S. Department of Justice’s (DOJ’s) Civil Cyber-Fraud Initiative, which aims to hold accountable entities or people that place U.S. information and facts or devices at possibility by knowingly offering deficient cybersecurity products and solutions or products and services, knowingly misrepresenting their cybersecurity methods or protocols, or knowingly violating obligations to check and report cybersecurity incidents and breaches.

Two of the three initiative steps have associated wellbeing treatment entities, and so this hard work provides an additional way—separate from actions by the HHS Business for Civil Rights—for the federal governing administration to hold health and fitness care entities accountable for major security lapses that expose individuals’ own facts.

“Government contractors responsible for handling private details must make sure that these types of information is appropriately shielded,” mentioned Principal Assistant Legal professional Standard Brian Boynton, head of DOJ’s Civil Division.

In Oct 2013, the Florida Healthier Youngsters Company (FHKC), a condition-designed entity that provides health and dental insurance for Florida children ages five by 18, contracted with Jelly Bean for “website design and style, programming and internet hosting services.” FHKC gets Medicaid and state resources to present children’s wellness insurance plan systems.

The arrangement with FHKC expected that Jelly Bean give a absolutely practical hosting setting that complied with the protections for personalized facts imposed by HIPAA Jelly Bean agreed to adapt, modify and build the needed code on the webserver to assistance the protected communication of details, DOJ mentioned. Jeremy Spinks, the company’s manager, 50% owner and sole staff, signed the agreement.

Jeally Bean “Did Not Offer Secure Hosting”

Less than its contracts with FHKC, amongst 2013 and 2020, Jelly Bean produced, hosted and taken care of HealthyKids.org for FHKC, like the on line software into which mother and father and others entered information to utilize for state Medicaid insurance coverage protection for kids.

The settlement resolves allegations that from Jan. 1, 2014, via Dec. 14, 2020, “contrary to its representations in agreements and invoices, Jelly Bean did not offer secure internet hosting of applicants’ particular information and facts and rather knowingly failed to properly preserve, patch, and update the software systems underlying HealthyKids.org and its connected websites, leaving the internet site and the info Jelly Bean gathered from candidates vulnerable to attack,” DOJ said.

“In or around early December 2020, a lot more than 500,000 purposes submitted on HealthyKids.org have been disclosed to have been hacked, potentially exposing the applicants’ private identifying information and other information,” DOJ mentioned.

At the time, FHKC reported that the incident involved accessibility and tampering with the applications for “several thousand” Medicaid applicants.[2]

After its investigation, FHKC reported, “cybersecurity authorities discovered major vulnerabilities in the hosted web page platform and the databases that assistance the on-line FloridaKidCare application. FHKC figured out that these vulnerabilities spanned a seven-12 months period of time from November 2013 until finally December 2020.”

The information and facts that may possibly have been exposed included full names, dates of beginning, electronic mail addresses, phone figures, addresses, Social Protection numbers, fiscal facts and secondary insurance plan facts. Even so, Jelly Bean did not keep satisfactory audit logs showing who accessed applicants’ personal data, DOJ claimed.

Software program Was Not Up-to-date or Patched

DOJ alleged that Jelly Bean was operating many out-of-date and susceptible applications, which includes some software program that Jelly Bean had not up to date or patched due to the fact November 2014. “Inconsistent with its representations in the agreements and invoices, Jelly Bean did not present safe internet hosting of applicants’ personal info and as an alternative unsuccessful to effectively sustain, patch, and update the software package methods fundamental HealthyKids.org and its related web sites, leaving the web-site and the information Jelly Bean gathered from candidates susceptible to assault,” DOJ said in its settlement agreement.[3]

In reaction to the data breach and Jelly Bean’s cybersecurity failures, FHKC shut down the website’s application portal in December 2020, DOJ stated.

A single of the two prior Civil Cyber-Fraud Initiative settlements associated a Florida health and fitness care entity. In that one particular, Complete Wellness Services LLC (CHS), dependent in Cape Canaveral, Florida, agreed in March 2022 to shell out $930,000 to resolve allegations that it violated the FCA by falsely symbolizing to the U.S. Condition Department and the Air Pressure that it complied with agreement requirements relating to the provision of health-related solutions at services in Iraq and Afghanistan.[4]

According to that settlement, CHS, a provider of worldwide medical services, submitted claims to the Point out Division for the cost of a protected digital healthcare document (EMR) method to retailer all patients’ health-related documents, like the confidential pinpointing facts of U.S. support customers, diplomats, officials and contractors working and obtaining clinical treatment in Iraq.

DOJ alleged that, involving 2012 and 2019, CHS failed to disclose to the Point out Department that it had not constantly stored patients’ records on a safe EMR technique. When CHS team scanned healthcare information for the EMR method, employees also saved and remaining scanned copies of some records on an inner community drive, which was available to nonclinical team. “Even just after employees elevated concerns about the privateness of safeguarded professional medical info, CHS did not get adequate actions to retailer the info completely on the EMR system,” DOJ said.

The next Civil Cyber-Fraud Initiative settlement, declared in July 2022, involved Aerojet Rocketdyne Inc., a California contractor functioning with the U.S. Office of Protection, NASA and other federal companies.

1 U.S. Department of Justice, “Jelly Bean Communications Structure and its Manager Settle Fake Statements Act Legal responsibility for Cybersecurity Failures on Florida Medicaid Enrollment Web page,” news launch, March 14, 2023, https://bit.ly/3Lvosb1.

2 Jane Anderson, “Privacy Briefs: February 2021,” Report on Client Privateness 21, no. 2 (February 2021), https://little bit.ly/42nPffh.

3 U.S. Office of Justice v. Jelly Bean Communications Layout LLC and Jeremy Spinks, “Settlement Arrangement,” March 14, 2023, https://little bit.ly/3Tp0aRQ.

4 U.S. Department of Justice, “Medical Providers Contractor Pays $930,000 to Settle Wrong Claims Act Allegations Relating to Health-related Providers Contracts at Condition Department and Air Power Facilities in Iraq and Afghanistan,” information release, March 8, 2022, https://bit.ly/3ZWWnxL.

[View source.]