Jelly Bean Communications Design LLC settlement
SETTLEMENT AGREEMENT
This Settlement Agreement (Agreement) is entered into among the United States
of America, acting through the United States Department of Justice and on behalf of the
Office of Inspector General (OIG-HHS) of the Department of Health and Human
Services (HHS) (collectively the "United States") and Jelly Bean Communications
Design LLC (Jelly Bean) and Jeremy Spinks (collectively, the "Defendants") (all
hereafter collectively referred to as "the Parties"), through their authorized
representatives.
RR("TTAT .S
A. Jelly Bean is a Florida Limited Liability Company based out of
Tallahassee, Florida, that performs web hosting functions, but no longer performs work
on any government programs or for health care-related purposes. Jeremy Spinks is the
sole employee, manager, and 50 percent owner of Jelly Bean.
B. The Florida Healthy Kids Corporation (FHKC) is astate-created entity
that offers health and dental insurance for Florida children ages 5 through 18. FHKC
receives federal Medicaid funds as well as state funds to provide children's health
insurance programs.
C. On July 1, 2012, the State of Florida, Agency for Health Care
Administration (AHCA), contracted with FHKC to provide services for the State
Children's Health Insurance Plan Program (SCHIP). This included implementing
technical safeguards to protect the confidentiality, integrity, and availability of electronic
protected health information received, maintained, or transmitted on behalf of AHCA.
D. On October 31, 2013, FHKC contracted with Jelly Bean for "website
design, programming and hosting services." The agreement required, among other
things, that Jelly Bean provide afully-functional hosting environment that complied with
HIPAA. The agreement provided that Jelly Bean would adapt, modify, and create the
necessary code on the webserver to support the secure communication of data. Jeremy
Spinks signed the agreement on behalf of Jelly Bean. FHKC renewed its contract with
Jelly Bean through 2020. The federal government funded eighty-six percent of the
payments made from FHKC to Jelly Bean.
E. The United States contends that it has certain civil claims against
Defendants because they allegedly submitted, or caused to be submitted, false claims for
federal funds paid out through AHCA's contact with FHKC, and FHKC's contract with
Jelly Bean, during the period from January 1, 2014, through December 14, 2020, as
described in paragraphs E(i)-E(vii) below.
i. Under its contracts with FHKC, between 2013 and 2020, Jelly Bean
created, hosted, and maintained the website HealthyKids.org for FHKC. This included
the online application into which parents and others entered data to apply for state
Medicaid insurance coverage for children. Jelly Bean collected this data and sent it to
FHKC's third-party administrator.
ii. Under its agreements with FHKC, Jelly Bean submitted invoices for these
services. These invoices included a line item for "HIPAA-compliant hosting," and
charged a monthly "retainer fee" for hosting and other tasks.
iii. Inconsistent with its representations in the agreements and invoices, Jelly
Bean did not provide secure hosting of applicants' personal information and instead
2
failed to properly maintain, patch, and update the software systems underlying
HealthyKids.org and its related websites, leaving the site and the data Jelly Bean
collected from applicants vulnerable to attack.
iv. In or around early December 2020, it became apparent that more than
500,000 applications submitted on HealthyKids.org had been hacked by third parties.
Independent investigation by FHKC revealed that the hackers altered applications,
inserting a specific street address as their "calling card."
v. The FHKC investigation also revealed that the website created by Jelly
Bean was running multiple outdated and vulnerable applications, including some
software that Jelly Bean had not updated or patched since November 2013.
vi. Jelly Bean did not maintain adequate audit logs showing who accessed
applicants' personal information, but the information potentially exposed by the
website's vulnerabilities included an applicant's: 1) full name and date of birth; 2) email
address and telephone number; 3) physical and mailing address; 4) social security
number; 5) financial information, to include wages, alimony, child support, royalties,
other income, and tax deductions; 6) family relationships (such as mother of child,
sister/brother of applicant, etc.); and 7) secondary insurance information.
vii. In response to this data breach and Jelly Bean's cybersecurity failures,
FHKC shut down the website's application portal in December 2020.
The conduct described in this Paragraph E, above, is referred to below as the
Covered Conduct.
F. This Settlement Agreement is neither an admission of liability by Defendants nor
a concession by the United States that its claims are not well founded.
3
To avoid the delay, uncertainty, inconvenience, and expense of protracted
litigation of the above claims, and in consideration of the mutual promises and
obligations of this Settlement Agreement, the Parties agree and covenant as follows:
TERMS AND CONDITIONS
Defendants shall pay to the United States two hundred ninety-three
thousand, seven hundred seventy-one dollars ($293,771.00) (Settlement Amount) of
which $130,565.00 is restitution, by electronic funds transfer within thirty days of the
Effective Date of this Agreement, pursuant to written instructions to be provided by the
Office of the United States Attorney for the Middle District of Florida.
2. Subject to the exceptions in Paragraph 3 (concerning reserved claims)
below, and conditioned upon the United States' receipt of the Settlement Amount, the
United States releases Defendants from any civil or administrative monetary claim the
United States has for the Covered Conduct under the False Claims Act, 31 U.S.C. §§
3729-3733; the Program Fraud Civil Remedies Act, 31 U.S.C. §§ 3801-3812; or the
common law theories of breach of contract, payment by mistake, unjust enrichment, and
fraud.
3. Notwithstanding the release given in Paragraph 2 of this Agreement, or
any other term of this Agreement, the following claims and rights of the United States are
specifically reserved and are not released:
a. Any liability arising under Title 26, U.S. Code (Internal Revenue
Code);
4
b. Any criminal liability;
c. Except as explicitly stated in this Agreement, any administrative
liability or enforcement right, or any administrative remedy,
including mandatory or permissive exclusion from Federal health
care programs;
d. Any liability to the United States (or its agencies) for any conduct
other than the Covered Conduct;
Any liability based upon obligations created by this Agreement;
Except for Jeremy Spinks, any liability of individuals;
g. Any liability for personal injury or property damage or for other
consequential damages arising from the Covered Conduct.
4. Defendants waive and shall not assert any defenses Defendants may have
to any criminal prosecution or administrative action relating to the Covered Conduct that
may be based in whole or in part on a contention that, under the Double Jeopardy Clause
in the Fifth Amendment of the Constitution, or under the Excessive Fines Clause in the
Eighth Amendment of the Constitution, this Agreement bars a remedy sought in such
criminal prosecution or administrative action.
Defendants fully and finally release the United States, its agencies,
officers, agents, employees, and servants, from any claims (including attorneys' fees,
costs, and expenses of every kind and however denominated) that Defendants have
asserted, could have asserted, or may assert in the future against the United States, its
agencies, officers, agents, employees, and servants, related to the Covered Conduct and
the United States' investigation and prosecution thereof.
6. a. Unallowable Costs Defined: All costs (as defined in the Federal
Acquisition Regulation, 48 C.F.R. § 31.205-47) incurred by or on behalf of Defendants,
and their present or former officers, directors, employees, shareholders, and agents in
connection with:
(1) the matters covered by this Agreement;
(2) the United States' audits) and civil investigations) of the matters covered by
this Agreement;
(3) Defendants' investigation, defense, and corrective actions undertaken in response
to the United States' audits) and civil investigations) in connection with the matters
covered by this Agreement (including attorneys' fees);
(4) the negotiation and performance of this Agreement;
(5) the payment Defendants make to the United States pursuant to this Agreement,
are unallowable costs for government contracting purposes (hereinafter referred to as
Unallowable Costs).
b. Future Treatment of Unallowable Costs: Unallowable Costs will
be separately determined and accounted for by Defendants, and Defendants shall not
charge such Unallowable Costs directly or indirectly to any contract with the United
States.
c. Treatment of Unallowable Costs Previously Submitted for
Payment: Within 90 days of the Effective Date of this Agreement, Defendants shall
identify and repay by adjustment to future claims for payment or otherwise any
Unallowable Costs included in payments previously sought by Defendants or any of its
subsidiaries or affiliates from the United States. Defendants agree that the United States,
at a minimum, shall be entitled to recoup from Defendants any overpayment plus
applicable interest and penalties as a result of the inclusion of such Unallowable Costs on
previously-submitted requests for payment. The United States, including the Department
of Justice and/or the affected agencies, reserves its rights to audit, examine, or re-examine
Defendants' books and records and to disagree with any calculations submitted by
Defendants or any of their subsidiaries or affiliates regarding any Unallowable Costs
included in payments previously sought by Defendants, or the effect of any such
Unallowable Costs on the amount of such payments.
7. This Agreement is intended to be for the benefit of the Parties only.
8. Each Party shall bear its own legal and other costs incurred in connection
with this matter, including the preparation and performance of this Agreement.
9. Each Party and signatory to this Agreement represents that it freely and
voluntarily enters into this Agreement without any degree of duress or compulsion.
10. This Agreement is governed by the laws of the United States. The
exclusive venue for any dispute relating to this Agreement is the United States District
Court for the Middle District of Florida. For purposes of construing this Agreement, this
Agreement shall be deemed to have been drafted by all Parties to this Agreement and
shall not, therefore, be construed against any Party for that reason in any subsequent
dispute.
11. This Agreement constitutes the complete agreement between the Parties.
This Agreement may not be amended except by written consent of the Parties.
7
12. The undersigned counsel represent and warrant that they are fully
authorized to execute this Agreement on behalf of the persons and entities indicated
below.
13. This Agreement may be executed in counterparts, each of which
constitutes an original and all of which constitute one and the same Agreement.
14. This Agreement is binding on Defendants' successors, transferees, heirs,
and assigns.
15. All Parties consent to the United States' disclosure of this Agreement, and
information about this Agreement, to the public.
16. This Agreement is effective on the date of signature of the last signatory to
the Agreement (Effective Date of this Agreement). Facsimiles and electronic
transmissions of signatures shall constitute acceptable, binding signatures for purposes of
this Agreement.
8
9
THE UNITED STATES OF AMERICA
DATED: BY: ______________________________
Michael Hoffman
Trial Attorney
Commercial Litigation Branch
Civil Division
United States Department of Justice
DATED: BY: ______________________________
Jeremy R. Bloor
Assistant United States Attorney
Middle District of Florida
DATED: BY: ______________________________
LISA M. RE
Assistant Inspector General for Legal Affairs
Office of Counsel to the Inspector General
Office of Inspector General
U.S. Department of Health and Human Services
LISA RE Digitally signed by LISA
RE
Date: 2023.03.10
12:17:19 -05'00'
3/13/23 fyBk
3/14/2023
JELLY BEAN COMMUNICATONS DESIGN LLC -DEFENDANT
~ /i
DATED: 3 ~ ~ 23 BY: / !" / ~'~"~
Jfi y an mmunicarions Design LLC
Printed Name: ~M~`~ SPr M,t 5
Title: ~~ A~rE~
DATED: 3 ~ 3 23 BY: ^
omas Findley
Cazlton Fields
Counsel for Jelly Bean Communications Design LLC
JEREMY SPINKS -DEFENDANT
DATED: 3 023 BY: ~—~---~--
J~re Spin
DATED: 3 ~ 3 Z BY: , h
omas Findley
Cazlton Fields
Counsel for Jeremy Spinks
10
This Settlement Agreement (Agreement) is entered into among the United States
of America, acting through the United States Department of Justice and on behalf of the
Office of Inspector General (OIG-HHS) of the Department of Health and Human
Services (HHS) (collectively the "United States") and Jelly Bean Communications
Design LLC (Jelly Bean) and Jeremy Spinks (collectively, the "Defendants") (all
hereafter collectively referred to as "the Parties"), through their authorized
representatives.
RR("TTAT .S
A. Jelly Bean is a Florida Limited Liability Company based out of
Tallahassee, Florida, that performs web hosting functions, but no longer performs work
on any government programs or for health care-related purposes. Jeremy Spinks is the
sole employee, manager, and 50 percent owner of Jelly Bean.
B. The Florida Healthy Kids Corporation (FHKC) is astate-created entity
that offers health and dental insurance for Florida children ages 5 through 18. FHKC
receives federal Medicaid funds as well as state funds to provide children's health
insurance programs.
C. On July 1, 2012, the State of Florida, Agency for Health Care
Administration (AHCA), contracted with FHKC to provide services for the State
Children's Health Insurance Plan Program (SCHIP). This included implementing
technical safeguards to protect the confidentiality, integrity, and availability of electronic
protected health information received, maintained, or transmitted on behalf of AHCA.
D. On October 31, 2013, FHKC contracted with Jelly Bean for "website
design, programming and hosting services." The agreement required, among other
things, that Jelly Bean provide afully-functional hosting environment that complied with
HIPAA. The agreement provided that Jelly Bean would adapt, modify, and create the
necessary code on the webserver to support the secure communication of data. Jeremy
Spinks signed the agreement on behalf of Jelly Bean. FHKC renewed its contract with
Jelly Bean through 2020. The federal government funded eighty-six percent of the
payments made from FHKC to Jelly Bean.
E. The United States contends that it has certain civil claims against
Defendants because they allegedly submitted, or caused to be submitted, false claims for
federal funds paid out through AHCA's contact with FHKC, and FHKC's contract with
Jelly Bean, during the period from January 1, 2014, through December 14, 2020, as
described in paragraphs E(i)-E(vii) below.
i. Under its contracts with FHKC, between 2013 and 2020, Jelly Bean
created, hosted, and maintained the website HealthyKids.org for FHKC. This included
the online application into which parents and others entered data to apply for state
Medicaid insurance coverage for children. Jelly Bean collected this data and sent it to
FHKC's third-party administrator.
ii. Under its agreements with FHKC, Jelly Bean submitted invoices for these
services. These invoices included a line item for "HIPAA-compliant hosting," and
charged a monthly "retainer fee" for hosting and other tasks.
iii. Inconsistent with its representations in the agreements and invoices, Jelly
Bean did not provide secure hosting of applicants' personal information and instead
2
failed to properly maintain, patch, and update the software systems underlying
HealthyKids.org and its related websites, leaving the site and the data Jelly Bean
collected from applicants vulnerable to attack.
iv. In or around early December 2020, it became apparent that more than
500,000 applications submitted on HealthyKids.org had been hacked by third parties.
Independent investigation by FHKC revealed that the hackers altered applications,
inserting a specific street address as their "calling card."
v. The FHKC investigation also revealed that the website created by Jelly
Bean was running multiple outdated and vulnerable applications, including some
software that Jelly Bean had not updated or patched since November 2013.
vi. Jelly Bean did not maintain adequate audit logs showing who accessed
applicants' personal information, but the information potentially exposed by the
website's vulnerabilities included an applicant's: 1) full name and date of birth; 2) email
address and telephone number; 3) physical and mailing address; 4) social security
number; 5) financial information, to include wages, alimony, child support, royalties,
other income, and tax deductions; 6) family relationships (such as mother of child,
sister/brother of applicant, etc.); and 7) secondary insurance information.
vii. In response to this data breach and Jelly Bean's cybersecurity failures,
FHKC shut down the website's application portal in December 2020.
The conduct described in this Paragraph E, above, is referred to below as the
Covered Conduct.
F. This Settlement Agreement is neither an admission of liability by Defendants nor
a concession by the United States that its claims are not well founded.
3
To avoid the delay, uncertainty, inconvenience, and expense of protracted
litigation of the above claims, and in consideration of the mutual promises and
obligations of this Settlement Agreement, the Parties agree and covenant as follows:
TERMS AND CONDITIONS
Defendants shall pay to the United States two hundred ninety-three
thousand, seven hundred seventy-one dollars ($293,771.00) (Settlement Amount) of
which $130,565.00 is restitution, by electronic funds transfer within thirty days of the
Effective Date of this Agreement, pursuant to written instructions to be provided by the
Office of the United States Attorney for the Middle District of Florida.
2. Subject to the exceptions in Paragraph 3 (concerning reserved claims)
below, and conditioned upon the United States' receipt of the Settlement Amount, the
United States releases Defendants from any civil or administrative monetary claim the
United States has for the Covered Conduct under the False Claims Act, 31 U.S.C. §§
3729-3733; the Program Fraud Civil Remedies Act, 31 U.S.C. §§ 3801-3812; or the
common law theories of breach of contract, payment by mistake, unjust enrichment, and
fraud.
3. Notwithstanding the release given in Paragraph 2 of this Agreement, or
any other term of this Agreement, the following claims and rights of the United States are
specifically reserved and are not released:
a. Any liability arising under Title 26, U.S. Code (Internal Revenue
Code);
4
b. Any criminal liability;
c. Except as explicitly stated in this Agreement, any administrative
liability or enforcement right, or any administrative remedy,
including mandatory or permissive exclusion from Federal health
care programs;
d. Any liability to the United States (or its agencies) for any conduct
other than the Covered Conduct;
Any liability based upon obligations created by this Agreement;
Except for Jeremy Spinks, any liability of individuals;
g. Any liability for personal injury or property damage or for other
consequential damages arising from the Covered Conduct.
4. Defendants waive and shall not assert any defenses Defendants may have
to any criminal prosecution or administrative action relating to the Covered Conduct that
may be based in whole or in part on a contention that, under the Double Jeopardy Clause
in the Fifth Amendment of the Constitution, or under the Excessive Fines Clause in the
Eighth Amendment of the Constitution, this Agreement bars a remedy sought in such
criminal prosecution or administrative action.
Defendants fully and finally release the United States, its agencies,
officers, agents, employees, and servants, from any claims (including attorneys' fees,
costs, and expenses of every kind and however denominated) that Defendants have
asserted, could have asserted, or may assert in the future against the United States, its
agencies, officers, agents, employees, and servants, related to the Covered Conduct and
the United States' investigation and prosecution thereof.
6. a. Unallowable Costs Defined: All costs (as defined in the Federal
Acquisition Regulation, 48 C.F.R. § 31.205-47) incurred by or on behalf of Defendants,
and their present or former officers, directors, employees, shareholders, and agents in
connection with:
(1) the matters covered by this Agreement;
(2) the United States' audits) and civil investigations) of the matters covered by
this Agreement;
(3) Defendants' investigation, defense, and corrective actions undertaken in response
to the United States' audits) and civil investigations) in connection with the matters
covered by this Agreement (including attorneys' fees);
(4) the negotiation and performance of this Agreement;
(5) the payment Defendants make to the United States pursuant to this Agreement,
are unallowable costs for government contracting purposes (hereinafter referred to as
Unallowable Costs).
b. Future Treatment of Unallowable Costs: Unallowable Costs will
be separately determined and accounted for by Defendants, and Defendants shall not
charge such Unallowable Costs directly or indirectly to any contract with the United
States.
c. Treatment of Unallowable Costs Previously Submitted for
Payment: Within 90 days of the Effective Date of this Agreement, Defendants shall
identify and repay by adjustment to future claims for payment or otherwise any
Unallowable Costs included in payments previously sought by Defendants or any of its
subsidiaries or affiliates from the United States. Defendants agree that the United States,
at a minimum, shall be entitled to recoup from Defendants any overpayment plus
applicable interest and penalties as a result of the inclusion of such Unallowable Costs on
previously-submitted requests for payment. The United States, including the Department
of Justice and/or the affected agencies, reserves its rights to audit, examine, or re-examine
Defendants' books and records and to disagree with any calculations submitted by
Defendants or any of their subsidiaries or affiliates regarding any Unallowable Costs
included in payments previously sought by Defendants, or the effect of any such
Unallowable Costs on the amount of such payments.
7. This Agreement is intended to be for the benefit of the Parties only.
8. Each Party shall bear its own legal and other costs incurred in connection
with this matter, including the preparation and performance of this Agreement.
9. Each Party and signatory to this Agreement represents that it freely and
voluntarily enters into this Agreement without any degree of duress or compulsion.
10. This Agreement is governed by the laws of the United States. The
exclusive venue for any dispute relating to this Agreement is the United States District
Court for the Middle District of Florida. For purposes of construing this Agreement, this
Agreement shall be deemed to have been drafted by all Parties to this Agreement and
shall not, therefore, be construed against any Party for that reason in any subsequent
dispute.
11. This Agreement constitutes the complete agreement between the Parties.
This Agreement may not be amended except by written consent of the Parties.
7
12. The undersigned counsel represent and warrant that they are fully
authorized to execute this Agreement on behalf of the persons and entities indicated
below.
13. This Agreement may be executed in counterparts, each of which
constitutes an original and all of which constitute one and the same Agreement.
14. This Agreement is binding on Defendants' successors, transferees, heirs,
and assigns.
15. All Parties consent to the United States' disclosure of this Agreement, and
information about this Agreement, to the public.
16. This Agreement is effective on the date of signature of the last signatory to
the Agreement (Effective Date of this Agreement). Facsimiles and electronic
transmissions of signatures shall constitute acceptable, binding signatures for purposes of
this Agreement.
8
9
THE UNITED STATES OF AMERICA
DATED: BY: ______________________________
Michael Hoffman
Trial Attorney
Commercial Litigation Branch
Civil Division
United States Department of Justice
DATED: BY: ______________________________
Jeremy R. Bloor
Assistant United States Attorney
Middle District of Florida
DATED: BY: ______________________________
LISA M. RE
Assistant Inspector General for Legal Affairs
Office of Counsel to the Inspector General
Office of Inspector General
U.S. Department of Health and Human Services
LISA RE Digitally signed by LISA
RE
Date: 2023.03.10
12:17:19 -05'00'
3/13/23 fyBk
3/14/2023
JELLY BEAN COMMUNICATONS DESIGN LLC -DEFENDANT
~ /i
DATED: 3 ~ ~ 23 BY: / !" / ~'~"~
Jfi y an mmunicarions Design LLC
Printed Name: ~M~`~ SPr M,t 5
Title: ~~ A~rE~
DATED: 3 ~ 3 23 BY: ^
omas Findley
Cazlton Fields
Counsel for Jelly Bean Communications Design LLC
JEREMY SPINKS -DEFENDANT
DATED: 3 023 BY: ~—~---~--
J~re Spin
DATED: 3 ~ 3 Z BY: , h
omas Findley
Cazlton Fields
Counsel for Jeremy Spinks
10
