The federal government alleged that CHS did not confide in the State Division that it had not persistently saved sufferers’ medical data on a safe digital medical file (EMR) system, with CHS employees saving and leaving scanned copies of some data on an inner community drive that was accessible to non-clinical employees. DOJ stated that even after employees raised considerations in regards to the privateness of protected medical data, CHS didn’t take ample steps to retailer the data completely on the EMR system.
A 12 months later, in March 2023, the DOJ introduced its second cyber-related case by the Civil Cyber-Fraud Initiative towards Jelly Bean Communications Design LLC and firm supervisor and co-owner Jeremy Spinks, who agreed to pay $293,771. The settlement resolved False Claims Act allegations Jelly Beans and Spinks did not safe private data on a federally funded Florida kids’s medical insurance web site run by the Medicaid-funded Florida Wholesome Youngsters Company (FHKC), which Jelly Bean created, hosted, and maintained.
Below FHKC’s settlement with Jelly Bean, the contractor agreed to supply a completely purposeful internet hosting setting that complied with the protections for private data imposed by the Well being Insurance coverage Portability and Accountability Act of 1996, and Jelly Bean agreed to adapt, modify, and create the required code on the webserver to help the safe communication of information.
DOJ alleged that from January 1, 2014, by way of December 14, 2020, Jelly Bean didn’t present safe internet hosting of candidates’ private data and as an alternative knowingly did not correctly keep, patch, and replace the software program techniques underlying HealthyKids.org and its associated web sites, leaving the location and the information Jelly Bean collected from candidates susceptible to assault.
In early December 2020, greater than 500,000 purposes submitted on HealthyKids.org have been revealed to have been hacked, probably exposing the candidates’ private figuring out data and different information. As a result of data breach and Jelly Bean’s cybersecurity failures, FHKC shut down the web site’s utility portal in December 2020.
There are no less than two different cyber-related False Claims actions that the DOJ has not laid declare to beneath its cyber initiative banner. In March 2022, the division stated California-based army and authorities contractor Aerojet Rocketdyne violated the False Claims Act by misrepresenting its compliance with cybersecurity necessities in sure federal authorities contracts.