August 5, 2025
Illumina, a biotechnology company headquartered in California, will pay $9.8 million settlement to resolve allegations that it violated the False Claims Act. The case claims that Illumina knowingly sold genomic sequencing systems with significant cybersecurity vulnerabilities to federal agencies.
The allegations against Illumina were first brought to light in 2023 by Erica Lenore, a former Director for Platform Management at Illumina. She filed a whistleblower lawsuit under the qui tam provisions of the False Claims Act. From February 2016 to September 2023, Illumina allegedly sold its genomic sequencing systems to government agencies without having an adequate security program. Specifically, the complaint alleged that:
Illumina failed to incorporate cybersecurity into its software design and development. In addition, Illumina did not properly support personnel tasked with product security. The company also allegedly failed to correct design features that introduced vulnerabilities and falsely claimed that its software complied with ISO and NIST cybersecurity standards.
Illumina was aware of material cybersecurity failures before its products were launched. In addition, any mitigation efforts were involuntary and made only in response to third-party complaints about malicious actors exploiting vulnerabilities. For example, in August 2022, Illumina disclosed a vulnerability in its Local Run Manager software, nearly a year after a third party first notified the company.
Illumina’s cybersecurity failures included the improper granting of elevated privileges to everyday users by default, which is similar to giving everyone super admin rights to a database. This could allow users to access and manipulate protected patient genomic data without detection.
Illumina’s software also allegedly failed to protect user credentials, allowing usernames and passwords to be easily accessible. This could make it easier for unauthorized users to access and manipulate data.
The lawsuit claimed that because of these security defects, Illumina knowingly allowed thousands of insiders and everyday users to access and manipulate confidential patient data. This included the ability to alter patient genomic test results, change product configurations, and install unauthorized applications.
This case falls under the Department of Justice’s ongoing Civil Cyber Fraud Initiative (CCFI). The CCFI targets companies that knowingly provide deficient cybersecurity products, misrepresent their practices, or fail to report cybersecurity incidents. In a 2021 blog post, we predicted – correctly – that the CCFI would expand to hold more and more entities accountable for cybersecurity-related fraud. The Illumina settlement shows that medical device companies will also face significant financial penalties for failing to implement the required cybersecurity controls.
This settlement demonstrates our continuing commitment to combat cybersecurity risks by ensuring that federal contractors protect private and sensitive government information.
– Acting U.S. Attorney Sara Bloom for the District of Rhode Island when announcing the settlement.
The Whistleblower Law Collaborative, based in Boston, represents individuals nationwide in bringing cases under the False Claims Act and other whistleblower programs. One of our recent successes was the $4.6 million settlement with MORSECORP, Inc. It was the first major False Claims Act cybersecurity settlement with a defense contractor.
If you know a government contractor has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, contact us for a confidential consultation. Our attorneys include several former federal prosecutors with experience safeguarding sensitive military, intelligence, and healthcare data and information.