Illumina’s $9.8M Settlement Highlights Expanding Cybersecurity False Claims Act Enforcement

by Madison A. Gregg and Cameron Smith

Illumina Inc. (“Illumina”) will pay $9.8 million to resolve allegations that it violated the False Claims Act (“FCA”) by selling DNA sequencing tools to federal agencies without meeting Government-mandated security standards. The case reflects a growing practice by the Department of Justice (“DOJ”) to hold contractors accountable for cybersecurity failures using the FCA, and highlights the critical role of whistleblowers in exposing such security cybersecurity risks.

Allegations of Cyber Fraud at Illumina in Violation of the FCA

The DOJ alleges that, from February 2016 through September 2023, biotechnology company Illumina violated the FCA by selling DNA sequencing systems that had cybersecurity deficiencies to government agencies. Specifically, Illumina allegedly had inadequate security programs and insufficient quality systems to identify and address potential (and actual) cybersecurity deficiencies. The Government alleges that Illumina knowing failed to incorporate the appropriate cybersecurity measures in its software; failed to support and give resources to its personnel, systems, and processes tasked with overseeing product security; and failed to adequately address design features that posed cybersecurity risks. In addition, Illumina allegedly submitted false claims to the Government about the cybersecurity protections of its products.

The False Claims Act imposes liability on entities and individuals that knowingly submit, or cause to be submitted, false claims to the Government for payment. In this case, Illumina is alleged to have knowingly failed to adhere to cybersecurity standards and protect against cybersecurity risks, yet falsely told the Government that they had in connection with its federal contracts. The alleged behavior would qualify as the submission of false statements to the Government under the FCA.

Some examples of other types of cybersecurity and IT issues that may qualify under the FCA are businesses failing to report security incidents or mismanaging customer information, employees or contractors that use cyber systems for personal or financial gain, falsely reporting compliance, overpricing, or companies ignoring known security weaknesses that put users at risk. All of these violations can be detrimental to consumers and could potentially lead to national security risks.

The Role of Whistleblowers Role in Exposing False Claims Act Violations in the Cybersecurity Sphere

The FCA allows private citizens, known as “relators” or “whistleblowers,” to bring forward cybersecurity whistleblower cases to disclose unlawful, unethical, or unsafe practices. Cybersecurity whistleblowers play a critical role in disclosing cyber fraud, protecting consumers, and safeguarding national security. Because of the substantial risks to consumers and other entities in cybersecurity false claims, the FCA and analogous state laws provide protection and financial incentives to whistleblowers.

Whistleblowers should take precautions to protect their identity, job security, and legal rights by gathering evidence legally, maintaining confidentiality, and using secure reporting channels. The FCA protects whistleblowers who expose fraud on the government and also provides financial incentives. In the Illumina matter, the whistleblower, Erica Lenore, received $1,900,000 for her efforts to report cybersecurity fraud and risks that she allegedly observed at Illumina in her former role as Director for Platform Management.

As shown in the Illumina settlement, whistleblowers who reveal cybersecurity breaches may be entitled to whistleblower awards for their cooperation with federal whistleblower programs. Under the FCA, whistleblowers can potentially receive 15% to 30% of recovered funds. Several highly publicized whistleblower cases involving technology companies have resulted in payouts in the multi-million-dollar range.

Companies Will be Held Accountable for Failure to Adhere to Cybersecurity Standards

The DOJ’s $9.8 million settlement with Illumina reveals the Department of Justice’s expanding enforcement surrounding false claims in the cybersecurity arena. This settlement demonstrates the DOJ’s commitment to ensuring that federal contractors adhere to the requirements to protect sensitive information from cybersecurity threats. There does not have to be a confirmed cybersecurity breach for companies to be held liable for the inadequate protection of information. The DOJ is committed to ensuring federal contractors’ cybersecurity systems are sufficiently protecting private and sensitive information before a breach can occur. This settlement shows that significant damage could occur if companies fail to protect sensitive information and fail to adhere to required cybersecurity standards.

Miller Shah for Cybersecurity and IT Whistleblower Cases

Miller Shah is dedicated to protecting cybersecurity whistleblowers and ensuring that entities committing fraud against the Government are brought to justice. Our Firm has extensive experience representing FCA and whistleblower matters and is committed to providing our clients with the best representation possible.

If you have any information surrounding cybersecurity fraud or a potential False Claim Act case, contact Miller Shah online or call 866-540-5505 to arrange for a consultation.