DOJ reaches $9.8 million settlement with Illumina over cyber whistleblower claims

The Department of Justice on Thursday announced a $9.8 million settlement with Illumina over allegations that the company sold genomic-sequencing systems with software vulnerabilities to federal agencies for multiple years.

Between 2016 and 2023, the government said, the company sold the systems without having an adequate security program and knowingly failed to incorporate cybersecurity into its product design process.

According to prosecutors’ complaint, Illumina is the dominant company in the global market, with a share of roughly 80%.

“Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks,” Assistant Attorney General Brett Shumate of the DOJ’s Civil Division said in a statement. 

“This settlement underscores the importance of cybersecurity in handling genetic information and the department’s commitment to ensuring that federal contractors adhere to requirements to protect sensitive information from cyber threats,” he added.

Illumina denied the allegations that it knowingly sold defective products, and the agreement states that the company is not making any admissions related to those claims.

The Food and Drug Administration in 2023 issued a warning about a vulnerability in Illumina software that could allow an attacker to change settings on the device or even take it over remotely. 

In 2022, the Cybersecurity and Infrastructure Security Agency warned about a flaw in Illumina’s Local Run Manager software that could allow an attacker to remotely alter test results. The company later patched the flaw.

The case involved a whistleblower — Erica Lenore, a former director of platform management at Illumina — who provided the government with details about the company’s alleged noncompliance. Lenore will receive $1.9 million from the settlement. 

DOJ also reached a $1.75 million settlement with defense contractor Aero Turbine Inc. and private equity firm Galant Capital Partners, over claims they failed to meet cybersecurity standards related to an Air Force contract. 

The DOJ did credit them for voluntarily coming forward to cooperate in the case. 

A spokesperson for Illumina could not immediately be reached for comment.