Governance & Risk Management
,
Government
,
Healthcare
US Alleged Illumina ‘Knowingly’ Sold Feds Systems Containing Vulnerabilities
Genomics sequencing firm Illumina Inc. has agreed to pay $9.8 million to resolve False Claims Act whistleblower allegations that it sold software and systems containing cybersecurity vulnerabilities to government agencies over more than seven years.
See Also: New Trend in Federal Cybersecurity: Streamlining Efficiency with a Holistic IT Approach eBook
The U.S. Department of Justice said Illumina, which is headquartered in California but incorporated in Delaware, sold genomic sequencing systems with software containing vulnerabilities between February 2016 and September 2023 and “without having an adequate security program and sufficient quality systems to identify and address those vulnerabilities.”
“Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks,” said Brett Shumate, assistant attorney general of the justice department’s civil division in a statement issued Thursday.
Ilumina in a statement provided to Information Security Media Group said that while the company denies the government’s allegations, it agreed to settle the dispute to avoid the uncertainty, expense and distraction of litigation.
“The allegations related to software issues, which Illumina successfully remediated for customers in 2022-2024. Government agencies, including the U.S. Food and Drug Administration, are important customers and Illumina values these relationships,” the company said.
“Illumina takes data security seriously and has invested significantly in its programs to align with cybersecurity best practices for the development and deployment of our products. We are pleased to put this matter behind us.”
The justice department alleged that Illumina “knowingly failed” to incorporate product cybersecurity in its software design, development, installation and on-market monitoring.
Federal prosecutors also said the company failed to properly support and provide resources including personnel, systems and processes tasked with product security. They also said the company failed to adequately correct design features that introduced cybersecurity vulnerabilities in the genomic sequencing systems and falsely represented that the software adhered to cybersecurity standards including those of the International Organization for Standardization and National Institute of Standards and Technology.
The justice department alleged that Illumina sold the flawed genomic sequencing systems and software to the U.S. Department Health and Human Services, the Department of Veterans Affairs, the National Aeronautics and Space Administration, the Departments of the Army, Navy and Air Force, the Department of the Interior, the Smithsonian Institution, the Department of Energy, the Department of Commerce, the Department of Homeland Security and the Department of Agriculture.
The settlement resolves a lawsuit filed in 2023 under the whistleblower provisions of the False Claims Act, which allows private parties to sue on behalf of the government when the accused has submitted false claims for government funds.
In the Illumina case, the whistleblower, Erica Lenore, a former Illumina director for platform management and on-market portfolio, is set to receive $1.9 million for her share of the settlement.