Illumina Inc., a Delaware corporation based in California, has agreed to pay $9.8 million to settle allegations that it violated the False Claims Act by selling genomic sequencing systems with cybersecurity vulnerabilities to federal agencies. The company manufactures and sells genomic sequencing systems across the United States.
The settlement addresses claims that from February 2016 through September 2023, Illumina sold government agencies sequencing systems with software containing cybersecurity risks, without having adequate security programs or quality controls to detect and fix those issues. According to the U.S. government, Illumina knowingly failed to integrate product cybersecurity into its software design, development, installation, and monitoring; did not provide sufficient support for personnel and processes responsible for product security; did not adequately address design features that introduced vulnerabilities; and misrepresented compliance with cybersecurity standards set by organizations such as the International Organization for Standardization and the National Institute of Standards and Technology.
“Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks,” said Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division. “This settlement underscores the importance of cybersecurity in handling genetic information and the Department’s commitment to ensuring that federal contractors adhere to requirements to protect sensitive information from cyber threats.”
“This settlement demonstrates our continuing commitment to combat cybersecurity risks by ensuring that federal contractors protect private and sensitive government information.” said Acting U.S. Attorney Sara Bloom for the District of Rhode Island.
“This settlement demonstrates our continued commitment to work with our law enforcement partners and the Department of Justice to ensure companies fulfill their contractual obligations,” said Acting Special Agent in Charge Christopher M. Silvestro of the Defense Criminal Investigative Service (DCIS) Northeast Field Office, the law enforcement arm of the Department of Defense’s Office of Inspector General. “Safeguarding the validity of Department of Defense research and data is vital to supporting the warfighter.”
“Significant damage can result from a failure to adhere to required cybersecurity standards, especially when the systems involved include sensitive genomic data,” said Special Agent in Charge Roberto Coviello of the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG). “HHS-OIG and our law enforcement partners remain dedicated to ensuring that entities who do business with the government uphold their cybersecurity obligations.”
The case was brought under whistleblower provisions in the False Claims Act, which allow private individuals to sue on behalf of the government over false claims for funds. Erica Lenore, a former Director at Illumina, filed this lawsuit and will receive $1.9 million as her share of the settlement.
The investigation was conducted by multiple agencies including Trial Attorney Erin Colleran from the Justice Department’s Civil Division and Acting U.S. Attorney Sara Bloom from Rhode Island, along with assistance from DCIS, Army Criminal Investigation Division, HHS Office of Inspector General, and Commerce Office of Inspector General.
Officials noted that these are allegations only; there has been no determination of liability.
