Biotech contractor settles for $9.8 million with DOJ over alleged cybersecurity lapses

Illumina Inc. has agreed to a $9.8 million settlement with the U.S. government to resolve allegations that it sold the federal government genomic sequencing systems riddled with cybersecurity flaws.

The case against the biotech company specializing in genetic analysis was brought under the False Claims Act, which allows the Department of Justice to pursue damages from vendors who violate contracts. It has become a staple of federal prosecutions of government contractors accused of shirking cybersecurity responsibilities.

The DOJ alleged that between 2016 and 2023, the San Diego-based firm sold government agencies products that included software vulnerabilities. Illumina had an inadequate security program, the government said, and did not sufficiently monitor for or fix cybersecurity issues in its products.

Illumina “knowingly failed to incorporate product cybersecurity in its software design, development, installation, and on-market monitoring,” a DOJ press release said. 

It also starved staff and systems charged with product security of resources and deceptively claimed that its software met national benchmarks for cybersecurity standards, the government said.

Over the past few years, federal agencies and Illumina itself have issued multiple warnings about vulnerabilities in its products.

A spokesperson for Illumina said in a statement that the company denies the allegations, but agreed to settle “to avoid the uncertainty, expense, and distraction of litigation.”

“The allegations related to software issues, which Illumina successfully remediated for customers in 2022-2024,” the statement said. “Illumina takes data security seriously and has invested significantly in its programs to align with cybersecurity best practices for the development and deployment of our products.”

“Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks,” Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division said in a statement. 

“This settlement underscores the importance of cybersecurity in handling genetic information and the Department’s commitment to ensuring that federal contractors adhere to requirements to protect sensitive information from cyber threats.”

The lawsuit followed disclosures from a whistleblower who had been a senior executive at Illumina.