On July 31, 2025, the U.S. Department of Justice announced that Illumina Inc. agreed to pay $9.8 million to resolve False Claims Act (“FCA”) allegations concerning cybersecurity deficiencies in its genomic sequencing systems sold to federal agencies between 2016 and 2023. DOJ alleged that Illumina failed to incorporate adequate cybersecurity measures into product design, lacked effective monitoring or remediation protocols, and misrepresented compliance with recognized cybersecurity standards, including those established by the International Organization for Standardization (“ISO”) and the National Institute of Standards and Technology (“NIST”).
This matter represents the first significant FCA settlement against a biotechnology or healthcare technology provider based on alleged cybersecurity vulnerabilities in its products. It also marks one of at least 10 FCA settlements obtained by DOJ since launching its Civil Cyber-Fraud Initiative in October 2021, an effort focused on holding contractors and federal grant recipients accountable for failing to meet required cybersecurity standards or making false statements about cyber readiness.
Cybersecurity-Driven FCA Enforcement: A Broader Pattern
The Illumina case joins a growing body of enforcement actions under the Civil Cyber-Fraud Initiative. Recent examples include:
- Aero Turbine Inc. and Gallant Capital Partners, July 2025: $1.75 million settlement by the defense contractor and private equity firm to resolve FCA liability relating to the voluntary self-disclosure of violations in connection with cybersecurity noncompliance in federal defense contracts.
- Raytheon Technologies, RTX, and Nightwing Group, May 2025: $8.4 million settlement by defense contractors to resolve allegations of noncompliance with federal cybersecurity requirements in defense contracts.
- MORSECORP, Inc., March 2025: $4.6 million settlement to resolve allegations that the defense software provider falsely certified compliance with required security controls under the Defense Federal Acquisition Regulation Supplement (“DFARS”).
- Health Net Federal Services Inc. and Centene Corporation, February 2025: $11.25 million settlement resolving allegations that the companies, which provide managed healthcare support services, falsely certified compliance with cybersecurity requirements under TRICARE contracts, failed to perform required vulnerability scans, and ignored audit findings and internal warnings.
These settlements illustrate DOJ’s position that misrepresentations about cybersecurity compliance, whether in contract bids, certifications, or ongoing performance, can create FCA liability. They also demonstrate that DOJ is willing to pursue both large and small contractors across industries, with heightened attention to sectors that handle sensitive data or operate in regulated environments.
Healthcare as an Emerging FCA Cybersecurity Priority
The Illumina settlement signals DOJ’s expanding application of this enforcement theory into healthcare and life sciences. Healthcare organizations manage large volumes of personally identifiable information and protected health information, making them prime targets for cyberattacks. Medical devices, genomic sequencing systems, and health IT platforms often fall under both FDA oversight and federal procurement requirements, creating overlapping obligations to maintain and certify strong cybersecurity controls.
DOJ has framed cybersecurity lapses in this space as more than a compliance issue. They are also viewed as patient safety risks. The DOJ–HHS False Claims Act Working Group has stated that materially defective medical devices or compromised electronic health record systems will remain a focus of enforcement. Healthcare technology companies can therefore expect scrutiny not only for the clinical performance of their products but also for the data security and integrity of the systems that support them.
The Future of DOJ Cybersecurity Enforcement
The Civil Cyber-Fraud Initiative will continue to play a central role in DOJ’s FCA strategy. Future enforcement is expected to involve closer coordination between DOJ, HHS‑OIG, CMS, and agency inspectors general to identify cases where cyber failures affect federally funded programs. Increased whistleblower activity is likely, bolstered by DOJ’s new Corporate Whistleblower Awards Pilot Program, which expressly encompasses misconduct related to cybersecurity.
Private equity firms and investors in healthcare technology companies should also take note. DOJ has indicated that it will look closely at whether owners and investors exercise adequate oversight to ensure that portfolio companies meet contractual and regulatory cybersecurity obligations. Where they do not, enforcement may reach beyond the operating company to its backers.
Recommendations: Avoiding FCA Cybersecurity Exposure
The Illumina settlement serves as a reminder that cybersecurity compliance is now firmly embedded within DOJ’s False Claims Act enforcement priorities. Companies supplying products or services to the federal government, particularly in healthcare, life sciences, and other regulated sectors, must treat cybersecurity requirements with the same seriousness as traditional contractual performance obligations. The risk is not limited to large contractors. Smaller vendors, subcontractors, technology providers, and even service firms have found themselves facing FCA liability when they fail to meet required cybersecurity standards or when they inaccurately certify compliance.
A proactive approach to cybersecurity compliance can significantly reduce the likelihood of becoming the subject of a DOJ investigation or qui tam whistleblower action. The most effective compliance programs combine rigorous technical controls with clear documentation, internal accountability, and contractual safeguards that extend to third-party partners. In the current enforcement climate, the following actions can help reduce FCA risk:
- Conduct cybersecurity compliance audits to ensure alignment with all applicable standards, especially for systems used by federal agencies.
- Validate internal certifications and disclosures to confirm that any statements about cybersecurity readiness are accurate and substantiated.
- Strengthen breach reporting and remediation processes and self‑disclose incidents when required.
- Include explicit cybersecurity clauses in contracts with third parties and audit their compliance.
- Train compliance and product teams on FCA exposure tied to cybersecurity failures or misrepresentations.
- Engage legal and technical counsel proactively in designing and monitoring cybersecurity programs.
Conclusion
The Illumina settlement marks a significant development in FCA enforcement, representing both a first for the healthcare technology space and another in a growing series of DOJ victories under the Civil Cyber-Fraud Initiative. It demonstrates DOJ’s readiness to hold companies accountable not only for traditional billing fraud but also for failures in cybersecurity that undermine the security, reliability, and safety of federally procured products and services.
Companies operating in healthcare and other regulated sectors should act now to assess cybersecurity readiness, confirm the accuracy of compliance representations, and implement rigorous monitoring and response procedures. In today’s enforcement climate, proactive and well‑documented compliance is the best safeguard against costly investigations, settlements, and reputational damage.
