Not So Sweet: DOJ’s Second Cyber-Fraud Initiative Settlement Is With Jelly Bean Communications Design

Qui Notes readers will recall that a year and a half ago, the Justice Department announced its Civil Cyber-Fraud Initiative, promising to use the False Claims Act to “extract very hefty fines” from contractors and others “entrusted with government dollars” who “fail to follow required cybersecurity standards.” DOJ announced its first recovery under the initiative in March 2022, reaching a settlement just under $1 million with a contractor that allegedly failed to safeguard the health records of military and diplomatic personnel in Iraq.

A year later, DOJ has announced its second recovery under the initiative. Like last year’s, it was not a blockbuster in terms of size, but it underscores DOJ’s continued emphasis on pursuing FCA claims related to cybersecurity. The settling company is Jelly Bean Communications Design, which held a contract to design and host a website that complied with the Health Insurance Portability and Accountability Act (commonly known as HIPAA) for Florida’s children’s health insurance program, which receives both state and federal funds.

Yet, according to the covered conduct in the settlement agreement, the website — which was used by those applying for insurance under the program — in fact did not provide HIPAA-compliant data hosting. DOJ alleges that Jelly Bean knowingly failed to apply patches to bring it into compliance and misrepresented its compliance in its agreements and invoices. In late 2020, the government discovered that more than 500,000 applications submitted through the website had been hacked, potentially exposing sensitive personal information of hundreds of thousands of applicants. The settlement requires Jelly Bean and a part-owner of the company to pay just under $300,000.

The settlement underscores that, although DOJ has not had substantial recoveries from the Cyber-Fraud Initiative in the 18 months since it was instituted, DOJ is thinking broadly about using the FCA to enforce cybersecurity obligations. As in this case, DOJ may not see a hack or cyber attack as merely the work of hostile actors, but also the result of insufficient security practices by the contractor — especially where the contractor has agreed to adhere to specified types of cybersecurity measures, such as those relating to personal health information. We note that the initiative’s two recoveries to date have related to healthcare data that had not been safeguarded by the software providers specifically tasked with doing so.

Given DOJ’s strong rhetoric when it announced the initiative, we expect to see more (and larger) recoveries as the initiative matures, DOJ gains more experience pursuing cyber issues under the FCA, and relator-initiated cases are unsealed. We will continue to monitor and report on any developments here at Qui Notes.

© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.