Photo of Nkechi KanuPhoto of Kate GrowleyPhoto of Brian Tully McLaughlinPhoto of Michael G. Gruden, CIPP/GPhoto of Jasmine Masri

On July 31, 2025, the Department of Justice (DOJ) announced that Illumina, Inc. will pay $9.8 million to resolve allegations that it violated the False Claims Act (FCA) by selling genomic sequencing systems with software containing cybersecurity vulnerabilities to federal agencies. This is the first FCA settlement involving claims that a medical manufacturer failed to incorporate adequate product cybersecurity into its software design and development.

The allegations were first made in United States ex rel. Lenore v. Illumina Inc., No. 1:23-cv-00372 (D.R.I.), a qui tam action filed by Illumina’s former Director for Platform Management, On-Market Portfolio in September 2023. The relator alleged that, between February 2016 and September 2023, Illumina knowingly sold genomic sequencing systems to government agencies without adequate security programs or quality systems to identify and address software vulnerabilities. The complaint further alleged that Illumina failed to properly resource personnel and processes responsible for product security, did not remediate design features introducing cybersecurity risks, and misrepresented the software’s adherence to required cybersecurity standards.

According to the government, Illumina’s actions included:

    • Failing to incorporate product cybersecurity into the lifecycle of its genomic sequencing systems, including design, development, and post-market monitoring;
    • Inadequately supporting and resourcing the personnel, systems, and processes responsible for product security;
    • Not correcting design features that introduced known cybersecurity vulnerabilities; and
    • Falsely certifying compliance with cybersecurity standards published by the International Organization for Standardization (ISO) and the National Institute of Standards & Technology (NIST) in representations to federal agencies.

As a result of these actions, the government contended that Illumina submitted false claims to numerous agencies for its genomic sequencing systems. Notably, the government asserted that the claims were false regardless of whether any actual cybersecurity breaches occurred.  As part of the settlement, Illumina agreed to pay $9.8 million, with $1.9 million of that awarded to the whistleblower as a relator’s share. In its press release, the government emphasized that the settlement underscores the importance of cybersecurity in the handling of sensitive genetic information and reinforces DOJ’s commitment to hold federal contractors accountable for cybersecurity risks.

Key Takeaways

    • DOJ is not focused solely on the security of contractor systems.  DOJ is continuing to explore the full scope of cybersecurity shortcomings, probing down to the software and hardware level of products provided to the government, particularly in the life sciences, medical technology, and digital health space.  This represents the first FCA settlement grounded in software vulnerabilities since DOJ’s early salvos in 2019. 
    • Federal contractors must ensure that secure software development is embedded throughout the product lifecycle, from design to post-market monitoring.  Overlooking it in the federal marketplace carries risks of not only operational downsides but also regulatory enforcement.
    • NIST is not the only cybersecurity standard that matters.  False representations of compliance with any cybersecurity standard for products or software, including ISO standards less frequently seen in government contracts, can lead to allegations of FCA liability.
    • Whistleblowers remain key drivers of FCA enforcement in the cybersecurity space.  With substantial financial incentives available under the statute’s qui tam provisions, federal contractors should anticipate more whistleblower activity, especially among personnel expressing concerns about cybersecurity compliance.
Tags: FCA, government contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Read more about Nkechi Kanu
Show more Show less
Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate Growley
Show more Show less
Photo of Brian Tully McLaughlin Brian Tully McLaughlin

Brian Tully McLaughlin is a partner in the Government Contracts Group in Washington, D.C. and co-chair of the False Claims Act Practice. Tully’s practice focuses on False Claims Act investigations and litigation, particularly trial and appellate work, as well as litigation of a…

Brian Tully McLaughlin is a partner in the Government Contracts Group in Washington, D.C. and co-chair of the False Claims Act Practice. Tully’s practice focuses on False Claims Act investigations and litigation, particularly trial and appellate work, as well as litigation of a variety of complex claims, disputes, and recovery matters. Tully’s False Claims Act experience spans procurement fraud, healthcare fraud, defense industry fraud, and more. He conducts internal investigations and represents clients in government investigations who are facing fraud or False Claims Act allegations. Tully has successfully litigated False Claims Act cases through trial and appeal, both those brought by whistleblowers / qui tam relators and the Department of Justice alike. He also focuses on affirmative claims recovery matters, analyzing potential claims and changes, counseling clients, and representing government contractors, including subcontractors, in claims and disputes proceedings before administrative boards of contract appeals and the Court of Federal Claims, as well as in international arbitration. His claims recovery experience includes unprecedented damages and fee awards. Tully has appeared and tried cases before judges and juries in federal district courts, state courts, and administrative boards of contract appeals, and he has argued successful appeals before the D.C. Circuit, the Federal Circuit, and the Fourth and Seventh Circuits.

Read more about Brian Tully McLaughlin
Show more Show less
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Jasmine Masri Jasmine Masri

Jasmine Masri is an associate in Crowell & Moring’s Government Contracts and International Trade groups. Jasmine focuses her practice on global compliance issues, regulatory enforcement matters, and government investigations. Through her practice, Jasmine provides counsel on a variety of matters at the intersection…

Jasmine Masri is an associate in Crowell & Moring’s Government Contracts and International Trade groups. Jasmine focuses her practice on global compliance issues, regulatory enforcement matters, and government investigations. Through her practice, Jasmine provides counsel on a variety of matters at the intersection of government contracts and international trade, including cross-border government procurement, economic sanctions, and export controls.

Read more about Jasmine Masri
Show more Show less
Related Posts
Record-Setting False Claims Act Settlement Highlights DOJ Commitment to Customs Enforcement
December 29, 2025
Buying Peace: The Importance of Releasing FCA Liability When Resolving Criminal Allegations of Fraud Against the Government
November 24, 2025
From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance
October 15, 2025