DOJ Settlement Ties Illumina to Cybersecurity Failures in Genomic Sequencing Systems

According to a Covington update, the US Department of Justice recently announced a $9.8 million settlement with Illumina, Inc. to resolve United States ex rel. Lenore v. Illumina, Inc. The case rested upon allegations that Illumina sold genomic sequencing systems containing cybersecurity vulnerabilities to federal agencies.

The action is part of the DOJ’s broader use of the False Claims Act to enforce cybersecurity compliance among government contractors, a trend that has gained momentum under the current administration.

The settlement signals DOJ’s commitment to scrutinize representations contractors make about product security, particularly where sensitive data is at stake.

The case originated as a whistleblower action under 31 U.S.C. § 3730(b), filed by a former employee of Illumina.

The DOJ alleged that the company knowingly failed to incorporate cybersecurity into its genomic sequencing systems, including software design, development, installation, and monitoring processes.

The complaint further claimed that Illumina under-resourced its product security functions, neglected to correct design features that introduced vulnerabilities, and falsely asserted compliance with cybersecurity standards from the National Institute of Standards and Technology.

The DOJ emphasized that liability could attach under the FCA even in the absence of an actual breach, arguing that misrepresentations concerning cybersecurity are sufficient to render claims false.

Illumina agreed to settle without admitting liability. The DOJ emphasized that sensitive genetic data requires protection and that cybersecurity weaknesses in such systems pose unacceptable risks to federal customers.

The matter reflects the Department’s willingness to pursue enforcement against companies outside the defense and IT sectors, extending its focus to biotechnology and health-related industries.

Attorneys should note the government’s continued reliance on the FCA as a cybersecurity enforcement tool. Government contractors can expect heightened scrutiny of their  product security practices and disclosure accuracy