The government alleged that CHS failed to disclose to the State Department that it had not consistently stored patients’ medical records on a secure electronic medical record (EMR) system, with CHS staff saving and leaving scanned copies of some records on an internal network drive that was accessible to non-clinical staff. DOJ said that even after staff raised concerns about the privacy of protected medical information, CHS did not take adequate steps to store the information exclusively on the EMR system.
A year later, in March 2023, the DOJ announced its second cyber-related case by the Civil Cyber-Fraud Initiative against Jelly Bean Communications Design LLC and company manager and co-owner Jeremy Spinks, who agreed to pay $293,771. The settlement resolved False Claims Act allegations Jelly Beans and Spinks failed to secure personal information on a federally funded Florida children’s health insurance website run by the Medicaid-funded Florida Healthy Kids Corporation (FHKC), which Jelly Bean created, hosted, and maintained.
Under FHKC’s agreement with Jelly Bean, the contractor agreed to provide a fully functional hosting environment that complied with the protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996, and Jelly Bean agreed to adapt, modify, and create the necessary code on the webserver to support the secure communication of data.
DOJ alleged that from January 1, 2014, through December 14, 2020, Jelly Bean did not provide secure hosting of applicants’ personal information and instead knowingly failed to properly maintain, patch, and update the software systems underlying HealthyKids.org and its related websites, leaving the site and the data Jelly Bean collected from applicants vulnerable to attack.
In early December 2020, more than 500,000 applications submitted on HealthyKids.org were revealed to have been hacked, potentially exposing the applicants’ personal identifying information and other data. Due to the data breach and Jelly Bean’s cybersecurity failures, FHKC shut down the website’s application portal in December 2020.
There are at least two other cyber-related False Claims actions that the DOJ has not laid claim to under its cyber initiative banner. In March 2022, the department said California-based military and government contractor Aerojet Rocketdyne violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts.