DOJ Cracks Down on Cyber Lapses with $11.5M in False Claims Act Settlements Against Illumina & Defense Contractor

Key Takeaways

• Cybersecurity Failures: Illumina sold genomic sequencing systems with known cybersecurity vulnerabilities to U.S. government agencies over a seven-year period.
• False Claims Act Violations: The company was accused of falsely certifying compliance with cybersecurity standards including ISO and NIST.
• $9.8M Settlement: Illumina agreed to pay nearly $10 million to resolve the allegations without admitting liability.
• Whistleblower Awarded: Erica Lenore, a former Illumina executive, will receive $1.9 million under the False Claims Act’s qui tam provisions.
• Growing FCA Focus: The case reflects heightened federal scrutiny of cybersecurity standards in government procurement.

Deep Dive

Genomic sequencing giant, Illumina, has agreed to pay $9.8 million to resolve allegations that it sold systems with serious cybersecurity vulnerabilities to U.S. federal agencies, the Justice Department announced Thursday.

The settlement stems from claims that between February 2016 and September 2023, Illumina knowingly sold genomic sequencing systems to government customers despite failing to incorporate adequate cybersecurity protections into the software. The systems, used across federal research and health agencies, allegedly lacked proper design and oversight controls needed to secure highly sensitive genetic information.

According to the Department of Justice, Illumina violated the False Claims Act by marketing systems with “cybersecurity vulnerabilities” without sufficient quality assurance processes, resources, or security infrastructure to detect and resolve those flaws. Officials said the company falsely certified that the systems complied with cybersecurity standards issued by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST).

“Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks,” said Assistant Attorney General Brett A. Shumate. “This settlement underscores the importance of cybersecurity in handling genetic information.”

Federal officials emphasized the gravity of securing genomic data and ensuring the integrity of research systems used by defense and health agencies. Christopher M. Silvestro, Acting Special Agent in Charge at the Defense Criminal Investigative Service, noted the importance of maintaining cybersecurity standards to protect Department of Defense research and data, while HHS-OIG’s Roberto Coviello warned that “significant damage can result from a failure to adhere to required cybersecurity standards.”

The allegations came to light through a whistleblower lawsuit filed by Erica Lenore, Illumina’s former Director for Platform Management, who is set to receive $1.9 million as her share of the recovery. Illumina did not admit liability as part of the settlement. The Illumina case is one of two cybersecurity-related False Claims Act settlements announced on the same day, marking an intensifying federal focus on contractor cybersecurity compliance.

In a separate matter, California-based defense contractor Aero Turbine Inc. and its private equity owner Gallant Capital Partners, agreed to pay $1.75 million to resolve allegations that they failed to comply with cybersecurity requirements under a contract with the U.S. Air Force. From 2018 to 2020, Aero Turbine allegedly failed to implement required NIST SP 800-171 controls and improperly shared sensitive defense information with a third-party software firm in Egypt that lacked authorization to access such data.

Unlike the Illumina case, Aero Turbine and Gallant received credit for self-disclosing the violations, cooperating with investigators, and taking prompt remedial action. DOJ officials said the case should serve as a model for voluntary disclosure and compliance repair.

“Government contractors must follow required cybersecurity standards to protect sensitive defense information,” said Assistant Attorney General Shumate. “When defense contractors fail to comply with cybersecurity requirements, they can mitigate the consequences by making timely self-disclosures, cooperating with investigations, and taking prompt remedial measures.”

“This case serves as a reminder that cybersecurity transcends mission sets,” echoed the Special Agent in Charge Caroline Galinis of the Air Force Office of Special Investigations. “Ensuring companies adhere to robust cybersecurity safeguards is integral to maintaining the Air Force’s operational edge against adversaries.”

Taken together, the two cases underscore the growing focus by federal authorities on cybersecurity compliance under the False Claims Act, particularly in contracts involving sensitive data or national security implications.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.