Illumina, Inc., a publicly-traded biotechnology company, agreed to a $9.8 million settlement with the U.S. Department of Justice (DOJ) in response to alleged violations of the False Claims Act (FCA). DOJ alleged that Illumina sold genomic sequencing systems with cybersecurity vulnerabilities to federal agencies and falsely represented that the software on the genomic sequencing systems adhered to cybersecurity standards.
This settlement is the first of its kind, highlighting the expansion of cybersecurity enforcement to the healthcare industry. It follows the announcement of DOJ’s re-launch of the joint DOJ and Department of Health and Human Services (HHS) False Claims Act work group and builds on the Civil Cyberfraud Initiative. In announcing the resolution, DOJ highlighted the “importance of cybersecurity in handling genetic information.”[1]
The DOJ’s investigation and settlement arose from the filing of a qui tam complaint by Illumina’s former Director for Platform Management. The DOJ intervened in the whistleblower suit to effectuate a settlement. The relator, a former Illumina employee, will receive $1.9 million as their portion from the settlement.
The Settlement
In its settlement with the company, the DOJ contends that Illumina submitted, or caused to be submitted, false claims to U.S government agencies (collectively, the “Agencies”). The basis for liability was the company’s representations of its cybersecurity posture.
Specifically, the DOJ found that from February 2016 through September 2023, Illumina allegedly submitted false claims to several Agencies for payment for Illumina’s LRM and UCS software. The DOJ alleged that these submitted claims were false because Illumina:
knowingly failed to incorporate product cybersecurity in its software design, development, installation and on-market monitoring;
- failed to properly support and resource personnel, systems and processes tasked with product security;
- failed to adequately correct design features that introduced cybersecurity vulnerabilities in its LRM and USC software; and
- falsely represented that the LRM and UCS software adhered to cybersecurity standards, including ISO and NIST standards.
The Underlying Qui Tam Complaint
What did the relator allege?
In a lawsuit initially filed in September 2023, the relator, the former Director for Platform Management – On-Market Portfolio at Illumina, alleged that Illumina sold genomic sequencing systems with known cybersecurity vulnerabilities to the Agencies.
The Complaint alleged that Illumina, despite knowing of the cybersecurity vulnerabilities in their products prior to sending them to market, received direct and indirect funding through the U.S. government, such as through grants, contracts, awards and the Agencies purchasing Illumina products and services for use in federally-funded research.
According to the complaint, Illumina violated cybersecurity regulations for medical devices when it failed to address “known widespread cybersecurity failures in its products at launch” and instead pushed out new products with cybersecurity vulnerabilities and failed to “mitigate or correct problems in its on-market products.” Further, Illumina was allegedly aware of specific, material cybersecurity failures resulting in two product recalls.
The complaint also alleged that Illumina disregarded cybersecurity requirements under HIPAA (for HIPAA-protected health information) and applicable FDA regulations, such as failure to disclose known vulnerabilities such as improper default access controls, hard-coded credentials and failure to mitigate or correct risks of insider threats.
What to know about the allegations?
In the underlying qui tam lawsuit, Illumina was specifically accused of making “materially false certifications” to the U.S. government about the “cybersecurity protections of its products.” These false certifications were based on alleged violations of the FDA’s Quality System Regulation (“QSR”), i.e., Illumina’s failure to implement proper design controls, corrective and preventative actions, and management of products prior to release.
The QSR sets forth “basic requirements” for companies engaged in the “design, manufacture, packaging, labeling, storage, installation, and servicing of all finished devices intended for human use” (See 21 CFR 820.1(a)(1)).The QSR does not include any specific requirements addressing cybersecurity controls, processes or risk management for health-related devices or technology. As such, the FCA claim in the qui tam complaint hinged on the allegations that Illumina failed to follow the FDA’s non-binding guidance regarding cybersecurity standards in medical devices.
Why is this settlement important for medical device companies?
Medical device companies should take note. Attention to a company’s cybersecurity infrastructure may be coming to the forefront of FCA claims.
While the DOJ’s settlement with Illumina did not specifically reference the FDA Cybersecurity Guidance, the Illumina case shows how such guidance and the alleged failure to follow it can potentially be used as a framework for litigation or enforcement actions with explosive implications for medical device companies, including regulatory scrutiny, multi-million-dollar penalties and product recalls.
This settlement is unique in that the FCA violations were focused on Illumina’s alleged failures to implement an adequate product security program or sufficient quality systems to identify vulnerabilities, “regardless of whether any actual cybersecurity breaches occurred” (emphasis added, see Settlement at Recitals, para. D).
Failure to align cybersecurity practices with industry standards such as ISO or NIST while making explicit or implied certifications or statements regarding the company’s cybersecurity posture may result in legal exposure including whistleblower complaints, regulatory scrutiny, government investigations and other civil actions, including false advertising and product liability actions.
Illumina’s settlement, alongside the announcement that the FCA working group will be renewed, indicates that cybersecurity representations and certifications will be a fertile field for future FCA claims.
[1] For more detail on the patchwork of federal and state laws protecting the confidentiality and security of genetic data, see our recent article: https://www.orrick.com/en/Insights/2025/08/Navigating-Privacy-Gaps-and-New-Legal-Requirements-for-Companies-Processing-Genetic-Data
[View source.]
