Web hosting provider fined $300,000 in data security case

by James · March 15, 2023

Web hosting provider fined 0,000 in data security case

A website hosting provider has agreed to pay nearly $300,000 over allegations that it failed to protect sensitive data on a federally funded online service for children. It is believed that files belonging to half a million health insurance claimants were hacked as a result.

Jelly Bean Communications Design was charged under the False Claims Act after it was found that data stored between 2014 and 2020 on the website, used by parents of children ages 5 to 17 in Florida to apply for children’s health insurance, were not properly guarded.

Jelly Bean had been contracted in 2013 by state health and dental insurance provider Florida Healthy Kids Corporation (FHKC) to curate HealthyKids.org and “related websites,” said the US Department of Justice (DoJ), which announced the settlement.

Jeremy Spinks, Jelly Bean’s sole operator and co-owner, appears to have escaped a lawsuit that could have landed him behind bars, but is now responsible for paying $293,771 in damages under the agreement reached in a court in Florida.

Table of Contents

Bag duty ignored, claims DoJ

The DoJ alleges that “contrary to its representations in agreements and invoices, Jelly Bean did not provide secure hosting of applicants’ personal information and instead deliberately failed to properly maintain, patch and update its software systems.”

This left HealthyKids.org and its related websites and data collected by Jelly Bean from users open to a cyberattack — a threat the DoJ said was realized in 2020 when more than 500,000 insurance applications sent to the site were “disclosed to have been hacked, potentially exposing applicants’ personal identifying information and other data.”

The case against Jelly Bean accuses it of running several outdated and therefore vulnerable apps in breach of the duty of care it signed when it agreed to contract for FHKC. In some cases, software had not been patched, that is, fixed for vulnerabilities, since the year the agreement took effect, the DoJ added.

Shortly after the alleged hacking incident, the websites in question were closed by FHKC.

Zero tolerance for negligence

“Government contractors responsible for handling personal information must ensure that such information is appropriately protected,” DoJ Deputy Assistant Attorney General Brian Boynton said. “We will use the False Claims Act to hold companies and their management accountable when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.”

“Protecting patients’ medical and other personal information is critical,” said United States Attorney Roger Handberg for the Middle District of Florida. “This settlement demonstrates my office and our partners’ commitment to using every tool available to protect Americans’ health care.”

Although Spinks avoided a prison sentence, the DoJ suggested that the settlement with Jelly Bean marks a victory for the Civil Cyber Fraud Initiative, created in 2021 “to hold accountable entities or individuals who put United States information or systems at risk by knowingly providing inadequate cybersecurity products or services’ in breach of their obligations.