Illumina Agrees to $9.8 Million Settlement Over Medical Device Cybersecurity Allegations

In a landmark cybersecurity enforcement action, biotechnology company Illumina Inc. has agreed to pay $9.8 million plus interest to resolve allegations that it misrepresented compliance with federal cybersecurity requirements for medical device software, the U.S. Department of Justice announced on July 30, 2025.

The settlement resolves a whistleblower lawsuit filed under the False Claims Act by a former Illumina employee, in which the federal government later intervened. According to the complaint, from January 2016 to April 2023, Illumina failed to incorporate adequate cybersecurity measures into the design, development, and marketing of certain products used for research and clinical purposes.

Federal investigators alleged that Illumina falsely certified to the U.S. Food and Drug Administration that its products complied with applicable cybersecurity requirements despite significant deficiencies. The company reportedly failed to maintain adequate security programs, address known vulnerabilities, or provide sufficient support for personnel tasked with product security.

Under the settlement terms, Illumina will pay $4.3 million in restitution as part of the total resolution, with the whistleblower receiving $1.9 million. The company has denied the allegations but stated it agreed to settle to avoid the “uncertainty, expense, and distraction of litigation.” Illumina emphasized that it remediated the identified software issues between 2022 and 2024 and reaffirmed its commitment to data security.

What makes this case particularly significant is that it represents the first False Claims Act settlement focused specifically on alleged failures to meet cybersecurity requirements for medical devices—proceeding without allegations of an actual breach. The DOJ’s theory of liability centered on false representations of compliance and inadequate internal controls to detect and remediate vulnerabilities.

“This settlement shows the government is serious about enforcing cybersecurity standards across all sectors, especially where public health and safety are concerned,” said a former FDA official familiar with medical device regulations, who requested anonymity because they were not authorized to speak about the case. “Companies can no longer treat cybersecurity as an afterthought in their development process.”

The Illumina case follows a growing trend of DOJ cybersecurity enforcement actions under the False Claims Act. In March 2025, defense contractor MORSECORP agreed to pay $4.6 million to resolve allegations of failing to implement required cybersecurity controls under Department of Defense contracts. The previous month, Centene Corporation and Health Net Federal Services settled for $11.25 million over allegations they falsely certified compliance with cybersecurity requirements under TRICARE contracts.

The settlement comes amid expanding cybersecurity compliance obligations for federal contractors. The Department of Defense’s Cybersecurity Maturity Model Certification Final Rule took effect in December 2024, requiring contractors to comply with specific cybersecurity levels based on their contracts.

For medical device manufacturers like Illumina, the FDA has also heightened its regulatory expectations. Under Section 524B of the Federal Food, Drug, and Cosmetic Act, which took effect in March 2023, manufacturers of “cyber devices”—broadly defined as those that include software, can connect to the internet, and could be vulnerable to cybersecurity threats—must include detailed cybersecurity information in premarket submissions.

“This case represents a perfect storm of increased regulatory scrutiny from both the DOJ and FDA,” said Rachel Kim, a cybersecurity compliance attorney with a Washington DC-based law firm. “Medical device manufacturers now face dual exposure—FDA regulatory action and potential False Claims Act liability—even without an actual breach occurring.”

Industry experts recommend that companies in regulated industries take several proactive steps to mitigate risk, including evaluating product cybersecurity scope, updating regulatory submissions, aligning quality systems with cybersecurity controls, and ensuring all government certifications are fully substantiated.

“The government is clearly signaling that cybersecurity compliance is not just about checking boxes,” Kim added. “It requires ongoing, verifiable implementation of security controls and transparent communication with regulators when issues are identified.”

For the broader business community, the Illumina settlement serves as a reminder that the DOJ’s cybersecurity enforcement efforts now extend well beyond traditional defense contracting into healthcare and other regulated industries where government funding is involved.