Governance & Risk Management,
Government,
Healthcare
US Allegations Against Illumina: Knowingly Selling Vulnerable Systems to Federal Agencies
Illumina Inc., a prominent firm in genomics sequencing, has reached a $9.8 million settlement to resolve allegations under the False Claims Act. The U.S. Department of Justice claims that Illumina sold software and systems embedded with cybersecurity vulnerabilities to federal agencies over a span of more than seven years.
According to the allegations, Illumina, while based in California and incorporated in Delaware, supplied genomic sequencing systems between February 2016 and September 2023 that lacked an adequate security protocol. The DOJ stated these products were delivered “without having sufficient quality systems to identify and rectify those vulnerabilities.”
Brett Shumate, Assistant Attorney General of the Civil Division of the Justice Department, emphasized that companies engaging with the federal government must adhere to cybersecurity standards and be accountable for their practices.
In a statement responding to the allegations, Illumina asserted its denial but agreed to settle to avoid the uncertainties and costs associated with litigation. The company highlighted that it had effectively addressed the software vulnerabilities in 2022-2024, asserting the importance of its partnerships with government agencies, including the U.S. Food and Drug Administration.
Illumina further clarified its commitment to data security, stating it has heavily invested in aligning its development and deployment processes with recognized cybersecurity best practices. Nevertheless, the DOJ’s allegations point to a “knowing failure” to incorporate cybersecurity into critical areas such as software design, development, and monitoring.
Federal authorities indicated that Illumina neglected to provide adequate support and resources to ensure product security, resulting in lapses that introduced significant vulnerabilities. Claims also surfaced that the company misrepresented compliance with cybersecurity standards established by organizations such as the International Organization for Standardization and the National Institute of Standards and Technology.
Illumina’s products were reportedly sold to multiple federal bodies, including the Department of Health and Human Services and the NASA, among others. The settlement resolves a whistleblower lawsuit filed in 2023, empowering private individuals to sue on behalf of the government for false claims.
The whistleblower in this case, Erica Lenore, a former director of platform management at Illumina, is set to receive $1.9 million from the settlement proceeds. The implications of this case underline the crucial need for organizations to prioritize cybersecurity, not only to protect their reputations but also to maintain their obligations to government entities.
