On July 31, 2025, the United States Department of Justice (DOJ) announced a $9.8 million settlement with Illumina, Inc. (Illumina) to resolve alleged False Claims Act (FCA) violations related to cybersecurity vulnerabilities and shortcomings in its genomic sequencing products. Of the total settlement, $1.9 million will be paid to the qui tam whistleblower who brought the FCA case—Illumina’s former Director of Platform Management.
Illumina sold its genomic sequencing products to a host of federal entities, including DOJ, HHS, DHS, NASA, the VA, and various other agencies. The DOJ contended that from February 24, 2016 through September 28, 2023, Illumina submitted false claims for payment to the agencies by failing to implement “an adequate product security program and sufficient quality systems to identify and address cybersecurity vulnerabilities” in its software. The DOJ further alleged that Illumina’s claims to the agencies were false “regardless of whether any actual cybersecurity breaches occurred,” asserting that Illumina knowingly failed to:
- Incorporate “cybersecurity by design” into the development, installation, and on-market monitoring of its genomic sequencing products;
- Properly support personnel and processes responsible for product security;
- Sufficiently correct design features that introduced cybersecurity vulnerabilities in the genomic sequencing products; and
- Comply with certain cybersecurity standards, such as those defined by the National Institute of Standards and Technology, despite representing that the products did comply with those standards.
Illumina denied all substantive allegations that its products had cybersecurity deficiencies and denied all liability.
Unlike other recent cyber FCA settlements—such as those involving Raytheon, Georgia Tech, or MORSECORP—this case focused on Illumina’s alleged failure to incorporate cybersecurity into its product design. The DOJ did not cite deficiencies in Illumina’s cybersecurity program that monitors its own environment, nor did the DOJ allege that Illumina’s cybersecurity shortcomings were solely related to the company’s failure to update its software as new cybersecurity vulnerabilities are introduced. Rather, the DOJ appears to have honed in on Illumina’s failure to produce a product that was “secure by design.” Although “cybersecurity by design” is a foundational concept of product development and cybersecurity, as it focuses on embedding security principles throughout the development lifecycle, assertions of cybersecurity “design flaws” as the basis for a fraud theory are novel.
The Illumina case is joined by another recent settlement involving the defense contractor Aero Turbine Inc. (Aero) and the private equity company Gallant Capital Partners LLC (Gallant), which jointly and severally agreed to pay $1.75 million to resolve an FCA claim related to Aero’s cybersecurity program. Unlike other FCA settlements, Aero and Gallant self-reported their noncompliance with cybersecurity requirements, cooperated in the government’s investigation, and took “prompt remedial measures” to mitigate their damages. The Aero and Gallant settlement agreement called out specifically that Aero and Gallant cooperated with the investigation by “identifying individuals involved in or responsible for the issues and disclosing facts gathered during [Aero and Gallant’s] independent investigation, with attribution of the facts to specific sources.” Acting U.S. Attorney Kimberly A. Sanchez for the Eastern District of California said in a statement that her office “commend[s] Aero Turbine and Gallant for disclosing the issue and promptly cooperating to address it. We encourage others to follow their example of self-reporting to resolve violations.”
The Illumina settlement appears to be the DOJ’s first FCA settlement involving cybersecurity and a medical device manufacturer. It demonstrates that the DOJ, as part of its Civil Cyber-Fraud Initiative, is not just focusing on defense contractors and traditional defense-related information, but government contractors more broadly and their collection of personal information, such as health data. The DOJ emphasized the importance of securing sensitive information in its press release— “[t]his settlement underscores the importance of cybersecurity in handling genetic information and the Department’s commitment to ensuring that federal contractors adhere to requirements to protect sensitive information from cyber threats.”
Alston’s Privacy, Cyber, and Data Strategy, Government Investigations, and Government Contracting teams will continue to actively monitor cases in this space for further developments.
