Florida Medicaid website contractor settles fraud allegations for over $290,000

by Ben Vernia | March 20th, 2023

On March 14, the Department of Justice announced that a Florida-based website company that failed to provide a secure enrollment website to the Florida Medicaid program has agreed to pay over $290,000 to settle False Claims Act allegations. According to DOJ’s press release:

Jelly Bean Communications Design LLC (Jelly Bean) and Jeremy Spinks have agreed to pay $293,771 to resolve False Claims Act allegations that they failed to secure personal information on a federally funded Florida children’s health insurance website, which Jelly Bean created, hosted, and maintained.

* * *

The Florida Healthy Kids Corporation (FHKC) is a state-created entity that offers health and dental insurance for Florida children ages five through 18. FHKC receives federal Medicaid funds as well as state funds to provide children’s health insurance programs. On Oct. 31, 2013, FHKC contracted with Jelly Bean for “website design, programming and hosting services.” The agreement required that Jelly Bean provide a fully functional hosting environment that complied with the protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996, and Jelly Bean agreed to adapt, modify, and create the necessary code on the webserver to support the secure communication of data. Jeremy Spinks, the company’s manager, 50% owner, and sole employee, signed the agreement. Under its contracts with FHKC, between 2013 and 2020, Jelly Bean created, hosted, and maintained the website HealthyKids.org for FHKC, including the online application into which parents and others entered data to apply for state Medicaid insurance coverage for children.

The settlement announced today resolves allegations that from January 1, 2014, through Dec. 14, 2020, contrary to its representations in agreements and invoices, Jelly Bean did not provide secure hosting of applicants’ personal information and instead knowingly failed to properly maintain, patch, and update the software systems underlying HealthyKids.org and its related websites, leaving the site and the data Jelly Bean collected from applicants vulnerable to attack. In or around early December 2020, more than 500,000 applications submitted on HealthyKids.org were revealed to have been hacked, potentially exposing the applicants’ personal identifying information and other data. The United States alleged that Jelly Bean was running multiple outdated and vulnerable applications, including some software that Jelly Bean had not updated or patched since November 2013. In response to this data breach and Jelly Bean’s cybersecurity failures, FHKC shut down the website’s application portal in December 2020.  

* * *

The case apparently arose from a government investigation, and not from a whistblower’s lawsuit.

Leave a Reply

Recent Posts

Recent Comments