Web hosting provider fined $300k in data safety case

A website hosting provider has agreed to pay nearly $300,000 over claims that it failed to safeguard sensitive data held on a federally funded online service for children. It is believed that files belonging to half a million health insurance applicants were hacked as a result.

Jelly Bean Communications Design was facing charges under the False Claims Act, after it emerged that data kept between 2014 and 2020 on the website, used by parents of children aged 5 to17 in Florida to apply for child health insurance, was not guarded properly.

Jelly Bean had been contracted in 2013 by state-created health and dental insurance provider Florida Healthy Kids Corporation (FHKC) to curate HealthyKids.org and “related websites”, said the US Department of Justice (DoJ), announcing the settlement.

Jeremy Spinks, Jelly Bean’s sole operator and co-owner, appears to have escaped a trial that could have landed him behind bars, but is now liable to pay $293,771 in damages per the agreement reached at a court in Florida.

Duty of care ignored, claims DoJ

The DoJ alleges that “contrary to its representations in agreements and invoices, Jelly Bean did not provide secure hosting of applicants’ personal information and instead knowingly failed to properly maintain, patch, and update the software systems.”

This left HealthyKids.org and its related sites and data collected by Jelly Bean from users wide open to a cyberattack – a threat that the DoJ said was realized in 2020 when more than 500,000 insurance applications submitted to the site were “revealed to have been hacked, potentially exposing the applicants’ personal identifying information and other data.”

The case against Jelly Bean accuses it of running multiple outdated and therefore vulnerable apps in violation of the duty of care it signed up to when it agreed to contract for FHKC. In some cases, software had not been patched, that is to say fixed for vulnerabilities, since the year the agreement entered into force, the DoJ added.

Shortly after the alleged hacking incident, the websites in question were shut down by FHKC.

Zero tolerance for negligence

“Government contractors responsible for handling personal information must ensure that such information is appropriately protected,” said deputy assistant attorney general Brian Boynton of the DoJ. “We will use the False Claims Act to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.”

“Safeguarding patients’ medical and other personal information is paramount,” said US Attorney Roger Handberg for the Middle District of Florida. “This settlement demonstrates the commitment by my office and our partners to use every available tool to protect Americans’ health care data.”

Though Spinks evaded a prison sentence, the DoJ implied that the settlement with Jelly Bean marks a win for its Civil Cyber Fraud Initiative, set up in 2021 “to hold accountable entities or individuals that put US information or systems at risk by knowingly providing deficient cybersecurity products or services” in violation of their obligations.