Well-advised companies know that among their key corporate risks are potential liability exposures arising from or related to cybersecurity. A recent U.S. Department of Justice enforcement action highlights the fact that corporate cybersecurity risk may take a number of forms, including, as was the case in the recent matter, potential False Claims Act (FCA) liability for cybersecurity vulnerabilities in products sold to the federal government. The fact that the recent case, involving life sciences company Illumina, settled for $9.8 million, underscores the seriousness of this cybersecurity-related liability FCA exposure.

A copy of the Department of Justice’s July 31, 2025, press release about the Illumina settlement can be found here. An August 7, 2025, memo from the Skadden law firm about the settlement can be found here.

Background

Illumina is a manufacturer of DNA sequencing systems. In September 2023, a former Illumina platform management director, acting as a “relator” (in effect, whistleblower), filed a qui tam action against Illumina alleging that between February 2016 and September 2023, the company had violated the False Claims Act by submitting or causing others to submit claims to federal payors for payment while knowingly concealing or misrepresenting the allegedly deficient cybersecurity condition of the company’s genomic sequencing products.

The relator alleged that genomic sequencing products had multiple cybersecurity failings; for example, among other things, she alleged that the company’s products allowed everyday users of its systems elevated privileges that allowed them to access confidential patient health data. The relator also alleged Illumina made “materially false certifications to the Government about the cybersecurity protections of its products.” The Department of Justice entered the case as an intervenor.

The Settlement

On July 31, 2025, the Department of Justice announced that it had reached a settlement with Illumina, in which the company agreed to pay $9.8 million to resolve allegations that it violated the False Claims Act when it sold genomic sequencing systems with cybersecurity vulnerabilities to federal agencies. In one particularly noteworthy detail of the settlement, the original relator is to receive $1.9 million as her share of the settlement.

Discussion

As the Skadden law firm memo to which I linked above put it, the Illumina settlement underscores the fact that “cybersecurity remains a significant enforcement priority for the DOJ.” The law firm memo details that the action against Illumina is actually one of a series of civil FCA cases the agency has pursued based on alleged cybersecurity deficiencies.

The DOJ’s news release about the settlement quotes one government official as saying that “Companies that sell products to the federal government will be held accountable for failed to adhere to cybersecurity standards and protecting against cybersecurity risks,” and as saying further that the settlement underscores “the Department’s commitment to ensuring that federal contractors adhere to requirements to protect sensitive information from cyber threats.”

The government’s pursuit of the claims against Illumina shows that among the risks companies may face as a result of cybersecurity vulnerabilities is the risk of potential governmental enforcement action under the False Claims Act. The government’s actions show that companies now face not only the risks of traditional regulator enforcement, but also, as the law firm memo puts it, “from alleged failures to meet cybersecurity standards – particularly where those failures result in false representations to the government.”

The message of this case is that companies may need to expand their view of what constitutes cybersecurity risk. At a minimum, it is clear that corporate cybersecurity risk may now include potential False Claims Act liability for cybersecurity vulnerabilities in their products.

There is one particular aspect  of this case that should not be overlooked, and that is the fact that this False Claim Act enforcement matter began as a qui tam action launched by a former employee. This type of whistleblower action creates a particularly troublesome aspect of this kind of regulatory vulnerability. Current and former employees, motivated by the kind of award the relator here received, are incentivized to come forward and allege supposed cybersecurity vulnerabilities. That is, companies not only face the risk of False Claims Act liability but they may be particularly susceptible to these kinds of claims owing to the possibility of whistleblower awards.

This enforcement case does show that companies that sell products relied on by governmental agencies may face False Claims Act exposure to the extent that they make representations or agree to contractual obligations involving cybersecurity compliance. This potential liability exposure suggests that companies doing business with the federal government may have heightened incentives to review product offerings for cybersecurity vulnerabilities and to review all representations made to the government concerning cybersecurity.

One final note. It seems that under the current Presidential administration, the government is using the False Claims Act in a number of ways. As I have noted in recent post, the government is using the FCA to enforce its policies, including, for example, with respect to DEI and even with respect to tariffs. As this case underscores, it appears that the government regulatory authorities consider the FCA as an important tool in their arsenal, one that the government seems motivated to deploy.