We previously wrote about the United States Department of Justice’s (“DOJ”) Civil Cyber-Fraud Initiative (“CCFI”), which “aims to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”  In that post, we summarized DOJ’s first two False Claims Act (“FCA”) resolutions pursuant to the CCFI, which amounted to more than $9 million in recoveries.

As part of its continued efforts to “combat new and emerging cyber threats to the security of sensitive information and critical systems,” DOJ announced another resolution.  Specifically, DOJ entered into an FCA settlement agreement with Jelly Bean Communications Design LLC (“Jelly Bean”) and its manager, Jeremy Spinks (“Spinks”), to resolve allegations that they failed to secure personal information on a federally-funded Florida children’s health insurance website called HealthyKids.org, which was created, hosted, and maintained by Jelly Bean.  To resolve these allegations, Jelly Bean and Spinks agreed to pay $293,771.

In 2013, Jelly Bean contracted with the Florida Health Kids Corporation (“FHKC”)—a state-created entity that offers health and dental insurance for Florida children—to create, host, and maintain HealthyKids.org, where, in part, parents and others could apply for state Medicaid insurance coverage for eligible children.  Under its agreement with FHKC, Jelly Bean was required to provide a fully-functional hosting environment that complied with HIPAA rules, including ensuring the security of protected health information (“PHI”) entered and maintained on the website for purposes of a parents’ or others’ application for state Medicaid insurance coverage for eligible children.

The FCA settlement agreement alleged that, for about seven years, Jelly Bean did not provide secure hosting of the applicants’ PHI, but instead knowingly failed to properly maintain, patch, and update software systems underlying HealthyKids.org and related websites.  Jelly Bean’s failure left the website and such PHI vulnerable from attack.  Despite not providing the foregoing, Jelly Bean represented compliance with its contract with FHKC.  In or around December 2020, more than half a million applications submitted on HealthKids.org were hacked and the PHI contained therein were potentially exposed.  DOJ determined that, at that time, Jelly Bean was running multiple outdated and vulnerable applications, including software that had not been updated since only a month after entering into its contract with FHKC—in 2013.  FHKC shut down its website’s application portal shortly thereafter.

Government contractors, such as Jelly Bean, are expected “to do the due diligence to keep software applications updated and secure” to ensure the “safeguarding [of] patients’ medical and other personal information.”  Just as it was emphasized by DOJ when it announced the CCFI and its first two FCA resolutions pursuant to the CCFI, the government re-emphasized that it “will continue to work … to ensure that enrollees can rely on their health care providers to safeguard their personal information.”

Follow us at https://privacylaw.proskauer.com/ for updates as DOJ continues its CCFI enforcement efforts.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Matthew J. Westbrook Matthew J. Westbrook

Matt is an associate in the Corporate Department and a member of the Health Care Group.  His practice focuses on providing regulatory compliance advice for the Firm’s health care clients, including service providers, health plans, operators, investors, and lenders, among others.  Matt specifically…

Matt is an associate in the Corporate Department and a member of the Health Care Group.  His practice focuses on providing regulatory compliance advice for the Firm’s health care clients, including service providers, health plans, operators, investors, and lenders, among others.  Matt specifically provides advice on fraud and abuse matters arising under the Federal False Claims Act (FCA), Civil Monetary Penalties Law (CMPL), Federal Anti-Kickback Statute (AKS), and Physician Self-Referral Law (Stark Law), as well as on the regulations promulgated by the Drug Enforcement Administration (DEA) and the Department of Health and Human Services, including the Office of Inspector General (OIG), Centers for Medicare & Medicaid Services (CMS), and Food and Drug Administration (FDA).

Photo of Ryan P. Blaney Ryan P. Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.