When cybersecurity becomes a compliance obligation: Lessons from the Illumina FCA settlement

In July, the U.S. Department of Justice announced that Illumina Inc., a leading manufacturer of genomic sequencing systems, would pay USD9.8 million to resolve allegations under the False Claims Act. The case, which did not involve an actual data breach, centered instead on claims that Illumina knowingly sold sequencing systems to federal agencies that contained software with known cybersecurity vulnerabilities between February 2016 and September 2023. 

The government argued Illumina falsely certified compliance with cybersecurity standards, making its claims for payment "false" under federal law. The settlement arose from a whistleblower suit filed by a former Illumina director, who will receive nearly USD1.9 million as part of the resolution.

The outcome demonstrates how the False Claims Act can be applied to cybersecurity deficiencies. Illumina denied liability but accepted the settlement terms, which also include restitution of USD4.3 million. The government emphasized that companies doing business with federal agencies must meet the highest standards in protecting sensitive systems and data. 

Commentators have observed that the Illumina settlement is one of the first to tie medical device cybersecurity directly to False Claims Act liability, opening new terrain for both regulators and industry stakeholders.

It is worth noting that the settlement agreement itself does not reference the Civil Cyber-Fraud Initiative, DOJ's program launched in 2021 to use the False Claims Act against contractors that misrepresent cybersecurity practices. However, legal analysts see the Illumina case as closely aligned with that enforcement strategy, since it applies the same theory that a false claim can arise from deficient cybersecurity even in the absence of a breach.

Significance of the case