16 March 2023. The United States Department of Justice settled a case against Jelly Bean Communications Design LLC and its manager Jeremy Spinks; they have agreed to pay the United States $293,771 to resolve False Claims Act liability stemming from cybersecurity failures on a website used to enroll children in Florida’s Medicaid program. This settlement serves as an important reminder of the need for proper data security measures when dealing with sensitive healthcare-related information. This False Claims Act case highlights the importance of cybersecurity and data security, and is a crucial lesson for businesses in general and government contractors in specific to heed. There was no whistleblower in this case, but someone who observed the inadequate cybersecurity controls of this contractor could have filed a qui tam lawsuit and would have been entitled to 15-25% of the government’s recovery.
Florida’s state-created entity, the Florida Healthy Kids Corporation (FHKC) manages health and dental insurance for Medicaid-eligible Florida children between the ages of 5-18. The Florida Agency for Health Care Administration (AHCA) tapped FHKC to “provide services” for the State Children’s Health Insurance Plan Program (SCHIP). In late 2013, FHKC contracted with Jelly Bean for a HIPAA-compliant website. As Medicaid is a state and federally-funded program, almost 90% of the payments to Jelly Bean were federal taxpayer dollars. According to the allegations, Jelly Bean and its manager Jeremy Spinks knowingly failed to properly maintain, patch, and update the software systems underlying HealthyKids.org and its related websites that were used to enroll children in Florida’s Medicaid program. This failure left the site and the data Jelly Bean collected from applicants vulnerable, exposing the personal information of many applicants to potential misuse and fraud. By December 2020, FHKC became suspicious of over 500,000 applications received through HealthyKids.org because of a particular address used on the applications, discovered that the site had been hacked, and shut down the website. $130,565 of the settlement is restitution.
Knowingly misrepresenting compliance with cybersecurity protocols as part of a government contract constitutes a violation of the False Claims Act. The Department of Justice’s Civil Cyber-Fraud Initiative is an attempt to combat False Claims Act violations related to inadequate cybersecurity protocols. Through this initiative, the DOJ has prioritized cases involving fraud that involves systems securing personally identifiable information or confidential government data.
The False Claims Act is a federal law that imposes liability on individuals and organizations who knowingly present false or fraudulent claims for payment to the United States government. These false claims can include false statements, false records, false invoices, false certifications of compliance with certain laws and regulations, and other improper activities. The False Claims Act also allows private citizens and non-US citizens to file qui tam lawsuits on behalf of the government against those who have violated the False Claims Act. If a qui tam action is successful, the individual or organization responsible for false claims violations may be liable for damages and penalties in addition to any fines imposed by the federal government. The False Claims Act case against Jelly Bean Communications Design LLC serves as an important reminder that businesses must take appropriate steps to ensure adequate data security when dealing with sensitive information.
If you would like to report cyber fraud or government contracts fraud, you can contact attorneys at Tycko & Zavareei LLP. Eva Gunasekera and Renée Brooker are former officials of the United States Department of Justice and prosecuted whistleblower cases under the False Claims Act. Renée served as Assistant Director at the United States Department of Justice, the office that supervises False Claims Act cases in all 94 United States District Courts. Eva was the Senior Counsel for Health Care Fraud. Eva and Renée now represent whistleblowers. For a free consultation, you can contact Renée at [email protected] (tel.: 202-417-3664) or contact Eva Gunasekera at [email protected]. You can also go to Tycko & Zavareei LLP’s website for whistleblowers to learn more at https://www.fraudfighters.net/.