Genomics heavyweight, Illumina Inc., is set to fork over $9.8 million following claims that it sold the federal government genomic sequencing systems with critical security weaknesses. The settlement aims to resolve allegations that Illumina's actions violated the False Claims Act. According to a release from the Department of Justice, between February 2016 and September 2023, the company allegedly sold systems with cybersecurity vulnerabilities to various government agencies without an adequate security program.
Assistant Attorney General Brett A. Shumate highlighted the gravity of the situation, stating that companies dealing with the government must uphold cybersecurity standards. "This settlement underscores the importance of cybersecurity in handling genetic information and the Department's commitment to ensuring that federal contractors adhere to requirements to protect sensitive information from cyber threats," he affirmed. However, the settlement does not appoint any liability; the company agreed to settle the claims alleged against them.
In an extensive lapse in cybersecurity protocol, Illumina is said to have failed to integrate proper cybersecurity measures during product design, development, installation, and on-market monitoring phases. The company is also accused of not having sufficiently resourced personnel, systems, and processes to manage product security. Moreover, the firm allegedly provided false assurances that its software met cybersecurity standards set by authoritative bodies such as the International Organization for Standardization and the National Institute of Standards and Technology.
These shortcomings are not just policy slip-ups but represent a significant threat due to the nature of the data involved. "Significant damage can result from a failure to adhere to required cybersecurity standards, especially when the systems involved include sensitive genomic data," Special Agent in Charge Roberto Coviello of the U.S. Department of Health and Human Services Office of Inspector General pointed out. The claim was originally brought forward under the whistleblower provisions of the False Claims Act by Erica Lenore, a former Director for Platform Management at Illumina.
Lenore stands to receive $1,900,000 as part of the whistleblower agreement for flagging the issue—the original complaint can be found under the case United States ex. rel. Lenore v. Illumina Inc., No. 1:23-cv-00372. The collaborative effort that led to the settlement involved the Justice Department's Civil Division, Commercial Litigation Branch, Fraud Section, and the United States Attorney’s Office for the District of Rhode Island, supported by teams from the Army Criminal Investigation Division, HHS-OIG, and the Department of Commerce Office of the Inspector General.
