Illumina Inc., a company based in Delaware and headquartered in California, has agreed to pay $9.8 million to settle allegations that it violated the False Claims Act by selling genomic sequencing systems with cybersecurity vulnerabilities to federal agencies. The systems were sold between February 2016 and September 2023.
According to the United States, Illumina failed to include proper cybersecurity measures in its software design, development, installation, and ongoing monitoring. The government also alleged that Illumina did not adequately support personnel or processes responsible for product security and did not correct design features that introduced vulnerabilities. Additionally, the company was accused of falsely claiming its software met cybersecurity standards set by organizations such as the International Organization for Standardization and the National Institute of Standards and Technology.
“Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks,” said Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division. “This settlement underscores the importance of cybersecurity in handling genetic information and the Department’s commitment to ensuring that federal contractors adhere to requirements to protect sensitive information from cyber threats.”
“This settlement demonstrates our continuing commitment to combat cybersecurity risks by ensuring that federal contractors protect private and sensitive government information.” said Acting U.S. Attorney Sara Bloom for the District of Rhode Island.
“This settlement demonstrates our continued commitment to work with our law enforcement partners and the Department of Justice to ensure companies fulfill their contractual obligations,” said Acting Special Agent in Charge Christopher M. Silvestro of the Defense Criminal Investigative Service (DCIS) Northeast Field Office, the law enforcement arm of the Department of Defense’s Office of Inspector General. “Safeguarding the validity of Department of Defense research and data is vital to supporting the warfighter.”
“Significant damage can result from a failure to adhere to required cybersecurity standards, especially when the systems involved include sensitive genomic data,” said Special Agent in Charge Roberto Coviello of the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG). “HHS-OIG and our law enforcement partners remain dedicated to ensuring that entities who do business with the government uphold their cybersecurity obligations.”
The case originated from a lawsuit filed under whistleblower provisions in which private parties can sue on behalf of the government if false claims are submitted for government funds. Erica Lenore, a former Director for Platform Management at Illumina, will receive $1.9 million as her share of this settlement.
The resolution resulted from cooperation among several agencies including the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section; United States Attorney’s Office for Rhode Island; DCIS; Army Criminal Investigation Division; HHS Office of Inspector General; and Commerce Department Office of Inspector General.
The investigation was led by Trial Attorney Erin Colleran from the Justice Department’s Civil Division along with Acting U.S. Attorney Sara Bloom for Rhode Island.
Authorities noted that these are allegations only and there has been no determination regarding liability.
