A Florida-based web hosting company and its manager agreed to pay $293,771 in the latest Department of Justice (DOJ) case holding government contractors accountable for poor cybersecurity practices.

Jelly Bean Communications Design was contracted to design a website for the Florida Healthy Kids Corporation (FHKC), which offered health and dental insurance for Florida children ages five through 18. Jelly Bean knowingly left the website vulnerable to attack through running outdated software, the DOJ alleged in a press release Tuesday.

The details: Jelly Bean created, hosted, and maintained the website HealthyKids.org for the FHKC from 2013-20. During that time, the company was required to ensure the website’s cybersecurity controls complied with the Health Insurance Portability and Accountability Act (HIPAA).

Beginning in 2014, the company “did not provide secure hosting of applicants’ personal information and instead knowingly failed to properly maintain, patch, and update the software systems underlying HealthyKids.org and its related websites,” according to the DOJ. Around December 2020, more than 500,000 applications submitted to HealthyKids.org were revealed to have been hacked by third parties, the agency stated. The government found Jelly Bean was running outdated and vulnerable applications, some not updated since November 2013.

The FHKC shut down the website’s application portal in December 2020.

Of the settlement total, $130,565 is restitution, according to the agreement. Jeremy Spinks was named in the settlement as Jelly Bean’s sole employee, manager, and 50 percent owner.

Jelly Bean no longer performs work for the government or any healthcare-related purposes, according to the DOJ.

The company did not respond to a request for comment.

Compliance ramifications: The DOJ in October 2021 announced its Civil Cyber-Fraud Initiative to enforce the False Claims Act in pursuing cases of cybersecurity-related fraud by government contractors and grant recipients. The agency in July 2022 settled with Aerojet Rocketdyne for $9 million to resolve allegations the aerospace and defense manufacturer misled the federal government regarding its compliance with cybersecurity requirements in certain contracts—a case believed to be the first to utilize the qui tam provisions of the False Claims Act to hold a company accountable for alleged cybersecurity fraud.