Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
In July, the U.S. Department of Justice announced that Illumina Inc., a leading manufacturer of genomic sequencing systems, would pay USD9.8 million to resolve allegations under the False Claims Act. The case, which did not involve an actual data breach, centered instead on claims that Illumina knowingly sold sequencing systems to federal agencies that contained software with known cybersecurity vulnerabilities between February 2016 and September 2023.
The government argued Illumina falsely certified compliance with cybersecurity standards, making its claims for payment "false" under federal law. The settlement arose from a whistleblower suit filed by a former Illumina director, who will receive nearly USD1.9 million as part of the resolution.
The outcome demonstrates how the False Claims Act can be applied to cybersecurity deficiencies. Illumina denied liability but accepted the settlement terms, which also include restitution of USD4.3 million. The government emphasized that companies doing business with federal agencies must meet the highest standards in protecting sensitive systems and data.
Commentators have observed that the Illumina settlement is one of the first to tie medical device cybersecurity directly to False Claims Act liability, opening new terrain for both regulators and industry stakeholders.
It is worth noting that the settlement agreement itself does not reference the Civil Cyber-Fraud Initiative, DOJ's program launched in 2021 to use the False Claims Act against contractors that misrepresent cybersecurity practices. However, legal analysts see the Illumina case as closely aligned with that enforcement strategy, since it applies the same theory that a false claim can arise from deficient cybersecurity even in the absence of a breach.
Significance of the case
The Illumina settlement underscores the growing role of cybersecurity in the regulation of medical devices. Illumina's sequencing systems operate with software modules called Local Run Manager and Universal Copy Service. These modules process genomic data and connect to networks and cloud environments, making them susceptible to the same types of cyber risks that plague traditional information technology systems.
Regulators have been signaling for years that device cybersecurity is inseparable from safety and effectiveness. The 2023 omnibus spending bill, which included the Protecting and Transforming Cyber Healthcare Act, gave the U.S. Food and Drug Administration explicit authority to require cybersecurity documentation in premarket submissions. Since then, device manufacturers must demonstrate secure development practices, provide a software bill of materials, and commit to ongoing monitoring and patching.
The Illumina case illustrates what happens when the cybersecurity life cycle is not fully embedded in product design and post-market oversight.
The case also highlights the high standards expected when contracting with the federal government. The DOJ's theory of liability did not depend on a successful hack. Instead, the government framed Illumina's failure to implement adequate cybersecurity as a form of misrepresentation, because the company sold its systems as though they met required standards.
This reflects a shift in FCA enforcement toward treating cybersecurity as an express condition of payment. Analysts have pointed out that the expanding scope of FCA cybersecurity liability means companies must be prepared for government scrutiny not only of their security outcomes, but also of the processes and representations that surround them.
The implications go beyond federal procurement. Hospitals, insurers and private health systems purchase the same types of connected devices. If federal agencies demand verifiable cybersecurity assurances as a condition of doing business, private buyers are likely to follow. In practice, this means procurement teams will require medical device manufacturers to disclose software inventories, commit to patch management and maintain vulnerability disclosure programs.
Investors may also begin scrutinizing cybersecurity practices more closely, especially if deficiencies could lead to regulatory enforcement or litigation. The Illumina case offers plaintiffs' lawyers a roadmap: if cybersecurity vulnerabilities can ground FCA liability, they may also support negligence or misrepresentation claims in private suits.
The lesson is clear
From a governance perspective, cybersecurity in medical devices is not an ancillary IT issue but a compliance obligation. Device makers must treat security as a core component of safety and efficacy, and they must be ready to document, demonstrate and defend their practices.
For organizations contracting with the government, the standard is even higher, because a failure to meet cybersecurity expectations can expose them to FCA liability regardless of whether an incident has occurred. For private sector buyers, the case signals that best practices in federal contracting may soon become baseline requirements in commercial markets.
The Illumina settlement should therefore be read less as a one-off enforcement action and more as a bellwether. Regulators, customers and investors increasingly view cybersecurity as integral to trust in the health care ecosystem.
Companies that get ahead of this curve by embedding cybersecurity into their product life cycles, contracts and compliance programs will not only reduce legal risk but also strengthen their competitive position. In today's connected health care environment, cybersecurity is compliance, compliance builds trust, and trust sustains business.
Liyue Sigle, AIGP, CIPP/E, CIPP/US, is a privacy and AI counsel.
Dr. Monia Reding is a vitreoretinal surgery fellow at Oregon Health & Science University.
