Jelly Bean Communications Design, which hosted and maintained a federally funded Florida children's health insurance website, agreed to pay a $293,771 settlement to resolve allegations it provided deficient security controls to Florida Healthy Kids Corp., SC Media reported March 15.
Florida Healthy Kids Corp. is an insurance website that offered health and dental insurance for children under a state-issued contract between Oct. 31, 2013, and 2020.
In February 2021, Florida Healthy Kids Corp. experienced a data breach that compromised the personal health information of 3.5 million online applicants and enrollees over a seven-year period.
The cause, according to the Department of Justice, was due to Jelly Bean failing to patch multiple website vulnerabilities.
Jelly Bean was supposed to provide a HIPAA-compliant website for the health insurance website, yet the Department of Justice found that Jelly Bean's manager "knowingly failed to properly maintain, patch, and update the software systems."
The website vulnerabilities left the website and patient data exposed to cyber threats for seven years.
The patient information compromised in the breach included names, dates of birth, Social Security numbers, financial information, family relationships and secondary insurance data.
In total, more than 500,000 applications submitted on the HealthyKids website were hacked.
The website has since been taken down.