Whistleblower lawsuit against Illumina resolved for $9.8 million by the Department of Justice due to allegations of cyber interference.

Whistleblower lawsuit against Illumina resolved for $9.8 million by the Department of Justice due to allegations of cyber interference.

In a significant development, biotechnology company Illumina has agreed to a $9.8 million settlement with the U.S. Department of Justice (DoJ) over allegations that it knowingly sold genomic sequencing systems with cybersecurity vulnerabilities to multiple federal agencies between 2016 and 2023.

The government claimed that Illumina failed to implement adequate cybersecurity programs and did not properly incorporate security into its software design, development, installation, and monitoring processes. The DoJ alleged that the company misrepresented that its software met established cybersecurity standards, such as those from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).

The case was initiated by a whistleblower, Erica Lenore, a former director of platform management at Illumina, who provided details about the company's alleged noncompliance. As part of the settlement, Lenore will receive $1.9 million.

Between 2016 and 2023, Illumina sold devices to federal departments without a sufficient security program to identify or fix cybersecurity flaws. Vulnerabilities included software defects that could allow attackers to remotely alter test results or take control of devices, as highlighted in warnings from the Food and Drug Administration (FDA) in 2023 and the Cybersecurity and Infrastructure Security Agency in 2022.

The DoJ emphasised the importance of cybersecurity in protecting sensitive genetic information and holding government contractors accountable for meeting contractual cybersecurity standards. Assistant Attorney General Brett Shumate of the DoJ's Civil Division stated, "Companies selling products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protect against cybersecurity risks."

Despite the settlement, Illumina denied knowingly selling defective products and made no admission of wrongdoing. The company, in a statement, said it values its relationships with government agencies, including the U.S. Food and Drug Administration, and takes data security seriously, having invested significantly in its programs to align with cybersecurity best practices.

The settlement also underscores the importance of corporate stakeholders understanding the risk calculus of their technology stacks, with a focus on determining whether they are potential targets for cyber attacks. In a related development, the DoJ reached a $1.75 million settlement with defence contractor Aero Turbine Inc. and private equity firm Galant Capital Partners over claims they failed to meet cybersecurity standards related to an Air Force contract.

[1] Department of Justice press release, https://www.justice.gov/opa/pr/doj-announces-98-million-settlement-illumina-over-alleged-sale-defective-genomic-sequencing [2] Erica Lenore's complaint under the False Claims Act, https://www.justice.gov/opa/press-release/file/1558841/download [3] Cybersecurity and Infrastructure Security Agency warning, https://www.cisa.gov/uscert/ncas/alerts/aa22-257a [4] Food and Drug Administration warning, https://www.fda.gov/medical-devices/cybersecurity/cybersecurity-medical-devices-and-health-it-systems-fda-s-role-and-activities

1. The Department of Justice (DoJ) highlighted the importance of cybersecurity in handling sensitive information, such as genetic data, emphasizing accountability for government contractors that fail to meet established cybersecurity standards.
2. In the settlement with Illumina, the DoJ underlined the necessity for corporate stakeholders to comprehend the risk calculus of their technology stacks, focusing on potential targets for cyber attacks.
3. The Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued warnings about vulnerabilities in Illumina's genomic sequencing systems, which could allow remote manipulation of test results or device control.
4. The case against Illumina, which involved allegations of privacy breaches due to insufficient cybersecurity measures, serves as an example of the consequences stemming from a lack of compliance with cybersecurity norms, as set by organizations like the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).

Read also: