A former portfolio director filed the whistleblower complaint. The theory: Illumina sold the government genomic sequencing systems with embedded cybersecurity vulnerabilities — and falsely claimed those systems met NIST and ISO standards.
On July 31, 2025, the Department of Justice announced that Illumina Inc. agreed to pay $9.8 million to resolve False Claims Act allegations that it sold federal agencies genomic sequencing systems containing cybersecurity vulnerabilities while falsely representing that those systems complied with established cybersecurity standards. The settlement adds a new category of defendant to the Civil Cyber-Fraud Initiative's enforcement record: companies that sell software-embedded products to the government, not just companies that operate systems.
What Happened
Illumina is a Delaware corporation, headquartered in California, that manufactures genomic sequencing systems — hardware and software used in medical, research, and defense contexts. Federal agencies, including components of the Department of Defense, purchased those systems.
The DOJ alleged that between February 2016 and September 2023, Illumina:
- Failed to incorporate product cybersecurity in its software design, development, installation, and on-market monitoring processes.
- Failed to properly support and resource the personnel, systems, and processes responsible for product security.
- Failed to adequately correct design features that introduced cybersecurity vulnerabilities into the genomic sequencing systems.
- Falsely represented that the software on those systems adhered to cybersecurity standards, including standards of the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST).
In other words: Illumina sold a product, told the government that product was secure, and it was not. That combination — deficient product security plus a false representation of compliance — is the theory the government used to apply the False Claims Act.
The case was filed under the FCA's qui tam provisions as United States ex. rel. Lenore v. Illumina Inc., No. 1:23-cv-00372 (D.R.I.). The whistleblower, Erica Lenore, was a former Director for Platform Management, On-Market Portfolio at Illumina. She will receive $1,900,000 — approximately 19 percent of the settlement — for bringing the case on the government's behalf.
(A settlement is not an admission of liability.)
Why This Case Is Different
Every previous Civil Cyber-Fraud Initiative settlement has centered on a contractor's operational environment: the network, the information system, the SPRS score, the system security plan. The theory is always some version of "you contracted to implement NIST 800-171, you didn't, you billed the government anyway."
Illumina is different. The compliance failure here was in the product Illumina built and sold, not in the IT infrastructure Illumina used to perform the contract. Illumina was not primarily an IT services contractor. It was a product vendor whose goods happened to run software — software with vulnerabilities that Illumina allegedly knew about and failed to fix, while telling buyers those systems met applicable standards.
This distinction matters for a broad category of government vendors that have not previously considered themselves Civil Cyber-Fraud Initiative targets:
- Medical device and diagnostic equipment manufacturers selling to VA, HHS, or military hospitals.
- Scientific instrument companies selling to federal research agencies or DoD laboratories.
- Industrial control and operational technology vendors whose products include embedded software used in federal facilities or infrastructure.
- Commercial off-the-shelf (COTS) software vendors that make representations about security in their government sales materials.
If your company sells a product to a federal agency and that product runs software, and if your sales agreement or representations include any claim about cybersecurity standards compliance, this case is relevant to you.
The False Representation Element
The DOJ's press release identifies "falsely represented" as the operative phrase alongside the substantive failures. This matters because the FCA requires a false claim — not merely negligence or a compliance gap.
In this context, the representation was that the software "adhered to cybersecurity standards, including standards of the International Organization for Standardization and National Institute of Standards and Technology." When companies put cybersecurity compliance claims in their proposals, contract deliverables, or product documentation without the controls in place to back them up, those representations become the factual predicate for FCA liability.
This is not unique to Illumina. Any government vendor whose sales process, marketing materials, or contract deliverables include cybersecurity compliance statements — and whose product security program cannot support those statements — faces the same exposure.
What Contractors and Vendors Should Do
1. Map your compliance representations to your actual program. If a proposal, data sheet, product documentation, or contract certification says your product complies with a NIST publication or ISO standard, your security program needs to be able to demonstrate that in practice. Representations drive liability.
2. Treat product cybersecurity as a contract compliance obligation, not just an engineering concern. The Illumina case shows that product lifecycle decisions — design, development, installation, on-market monitoring — are contract performance decisions when the product is sold to the government under terms that include cybersecurity standards.
3. Build a vulnerability disclosure and correction process for your products. The DOJ alleged that Illumina failed to adequately correct known design features that introduced vulnerabilities. Having a documented, resourced process for identifying and correcting product vulnerabilities is both a good engineering practice and, in a federal sales context, a compliance requirement.
4. Consider FCA exposure in your supply chain and M&A diligence. If you are acquiring a company that sells products to the federal government and makes cybersecurity compliance representations, prior-period product security failures can carry FCA exposure into the deal — just as prior-period NIST 800-171 gaps travel in a defense contractor acquisition.
Where This Fits
The Illumina settlement joins the LOGZONE, Raytheon/Nightwing, Aerojet Rocketdyne, and Guidehouse/Nan McKay cases in an FCA enforcement record that keeps expanding its reach. The consistent principle across all these cases is that federal cybersecurity requirements are contract terms — and false claims about compliance with contract terms are actionable. Whether the compliance obligation lives in an operational IT system or in the product specifications of a sequencing machine, the legal theory is the same.
Contractors and vendors assessing their exposure can start with the Find My Requirements tool, and the Compliance Roadmap Assessment™ can help identify where product or program-level gaps require attention.
Key Takeaways
- Illumina agreed to pay $9.8 million to resolve False Claims Act allegations that it sold genomic sequencing systems to federal agencies with known cybersecurity vulnerabilities while falsely representing those systems complied with NIST and ISO standards — the first major Civil Cyber-Fraud Initiative settlement targeting product cybersecurity rather than operational IT compliance.
- Any company that sells software-embedded products to the government and makes cybersecurity compliance representations in its proposals, contracts, or documentation faces the same legal theory, regardless of whether it considers itself an "IT contractor."
- The case was brought by a former Illumina portfolio director under the FCA's qui tam provisions; she will receive $1.9 million from the $9.8 million settlement, reinforcing that product security decisions made internally are visible to the people who make them.