Florida Net Designer Settles with DOJ on 2020 HealthyKids.org Medicaid Breach | Well being Care Compliance Affiliation (HCCA)
(creator: Jane Anderson)
Report on Patient Privacy Volume 23, Number 4. April 2023
A Florida communications agency and its proprietor agreed to pay $293,771 to resolve False Claims Act (FCA) allegations that they didn’t safe private data on a federally funded Florida youngsters’s medical health insurance web site, HealthyKids.org.
The March 14 settlement(1) in opposition to Jelly Bean Communications Design LLC represents the third motion within the U.S. Division of Justice’s (DOJ’s) Civil Cyber-Fraud Initiative, which goals to carry accountable entities or people that put U.S. data or methods in danger by knowingly offering poor cybersecurity services or products, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to watch and report cybersecurity incidents and breaches.
Two of the three initiative actions have concerned well being care entities, and so this effort gives one other approach—separate from actions by the HHS Workplace for Civil Rights—for the federal authorities to carry well being care entities accountable for main safety lapses that reveal people’ private data.
“Authorities contractors accountable for dealing with private data should be certain that such data is appropriately protected,” mentioned Principal Assistant Legal professional Basic Brian Boynton, head of DOJ’s Civil Division.
In October 2013, the Florida Wholesome Children Company (FHKC), a state-created entity that provides well being and dental insurance coverage for Florida youngsters ages 5 by way of 18, contracted with Jelly Bean for “web site design, programming and internet hosting providers.” FHKC receives Medicaid and state funds to offer youngsters’s medical health insurance packages.
The settlement with FHKC required that Jelly Bean present a totally practical internet hosting surroundings that complied with the protections for private data imposed by HIPAA; Jelly Bean agreed to adapt, modify and create the mandatory code on the webserver to help the safe communication of knowledge, DOJ mentioned. Jeremy Spinks, the corporate’s supervisor, 50% proprietor and sole worker, signed the settlement.
Jeally Bean “Did Not Present Safe Internet hosting”
Beneath its contracts with FHKC, between 2013 and 2020, Jelly Bean created, hosted and maintained HealthyKids.org for FHKC, together with the net utility into which oldsters and others entered information to use for state Medicaid insurance coverage protection for kids.
The settlement resolves allegations that from Jan. 1, 2014, by way of Dec. 14, 2020, “opposite to its representations in agreements and invoices, Jelly Bean didn’t present safe internet hosting of candidates’ private data and as an alternative knowingly didn’t correctly keep, patch, and replace the software program methods underlying HealthyKids.org and its associated web sites, leaving the positioning and the info Jelly Bean collected from candidates weak to assault,” DOJ mentioned.
“In or round early December 2020, greater than 500,000 purposes submitted on HealthyKids.org had been revealed to have been hacked, probably exposing the candidates’ private figuring out data and different information,” DOJ mentioned.
On the time, FHKC mentioned that the incident concerned entry and tampering with the purposes for “a number of thousand” Medicaid candidates.(2)
After its investigation, FHKC mentioned, “cybersecurity consultants recognized important vulnerabilities within the hosted web site platform and the databases that help the net FloridaKidCare utility. FHKC realized that these vulnerabilities spanned a seven-year interval from November 2013 till December 2020.”
The knowledge which will have been uncovered included full names, dates of delivery, e-mail addresses, telephone numbers, addresses, Social Safety numbers, monetary data and secondary insurance coverage data. Nevertheless, Jelly Bean didn’t keep sufficient audit logs exhibiting who accessed candidates’ private data, DOJ mentioned.
Software program Was Not Up to date or Patched
DOJ alleged that Jelly Bean was working a number of outdated and weak purposes, together with some software program that Jelly Bean had not up to date or patched since November 2014. “Inconsistent with its representations within the agreements and invoices, Jelly Bean didn’t present safe internet hosting of candidates’ private data and as an alternative didn’t correctly keep, patch, and replace the software program methods underlying HealthyKids.org and its associated web sites, leaving the positioning and the info Jelly Bean collected from candidates weak to assault,” DOJ mentioned in its settlement settlement.(3)
In response to the info breach and Jelly Bean’s cybersecurity failures, FHKC shut down the web site’s utility portal in December 2020, DOJ mentioned.
One of many two prior Civil Cyber-Fraud Initiative settlements concerned a Florida well being care entity. In that one, Complete Well being Providers LLC (CHS), primarily based in Cape Canaveral, Florida, agreed in March 2022 to pay $930,000 to resolve allegations that it violated the FCA by falsely representing to the U.S. State Division and the Air Drive that it complied with contract necessities referring to the availability of medical providers at services in Iraq and Afghanistan.(4)
In line with that settlement, CHS, a supplier of worldwide medical providers, submitted claims to the State Division for the price of a safe digital medical document (EMR) system to retailer all sufferers’ medical information, together with the confidential figuring out data of U.S. service members, diplomats, officers and contractors working and receiving medical care in Iraq.
DOJ alleged that, between 2012 and 2019, CHS didn’t speak in confidence to the State Division that it had not constantly saved sufferers’ information on a safe EMR system. When CHS employees scanned medical information for the EMR system, employees additionally saved and left scanned copies of some information on an inner community drive, which was accessible to nonclinical employees. “Even after employees raised issues concerning the privateness of protected medical data, CHS didn’t take sufficient steps to retailer the data solely on the EMR system,” DOJ mentioned.
The second Civil Cyber-Fraud Initiative settlement, introduced in July 2022, concerned Aerojet Rocketdyne Inc., a California contractor working with the U.S. Division of Protection, NASA and different federal companies.
1 U.S. Division of Justice, “Jelly Bean Communications Design and its Supervisor Settle False Claims Act Legal responsibility for Cybersecurity Failures on Florida Medicaid Enrollment Web site,” information launch, March 14, 2023, https://bit.ly/3Lvosb1.
2 Jane Anderson, “Privateness Briefs: February 2021,” Report on Affected person Privateness 21, no. 2 (February 2021), https://bit.ly/42nPffh.
3 U.S. Division of Justice v. Jelly Bean Communications Design LLC and Jeremy Spinks, “Settlement Settlement,” March 14, 2023, https://bit.ly/3Tp0aRQ.
4 U.S. Division of Justice, “Medical Providers Contractor Pays $930,000 to Settle False Claims Act Allegations Regarding Medical Providers Contracts at State Division and Air Drive Amenities in Iraq and Afghanistan,” information launch, March 8, 2022, https://bit.ly/3ZWWnxL.
#Florida #Net #Designer #Settles #DOJ #HealthyKids.org #Medicaid #Breach #Well being #Care #Compliance #Affiliation #HCCA, 1681164386