In an age where protecting sensitive data is everything, one of the world’s top biotech companies just learned a costly lesson.
Illumina Inc., a major player in the field of genomic sequencing, has agreed to pay $9.8 million to settle allegations that it sold high-tech systems to U.S. government agencies without meeting basic cybersecurity standards.
The Core of the Issue: Vulnerable Tech Sold to the Feds
According to federal officials, between February 2016 and September 2023, Illumina sold genomic sequencing machines to various federal agencies.
The problem? The software powering these systems reportedly had serious cybersecurity flaws.
Even worse, the company allegedly didn’t have the right infrastructure in place—like proper security teams, protocols, or monitoring systems—to catch or fix these issues.
Government investigators claimed Illumina not only failed to build secure software from the ground up but also didn’t fix known flaws or update designs that left sensitive data exposed.
Despite this, the company allegedly told its government clients that their products met recognized cybersecurity standards, such as those from ISO and NIST.
DOJ Sends a Clear Warning to Government Contractors
“Companies selling to the federal government have to play by the rules, especially when it comes to cybersecurity,” said Assistant Attorney General Brett Shumate from the Justice Department’s Civil Division.
He emphasized that this settlement highlights the critical need to protect genetic and personal data from cyber threats.
Acting U.S. Attorney Sara Bloom in Rhode Island echoed the message, stressing the government’s ongoing effort to crack down on companies that don’t take cyber risks seriously—especially those handling private or sensitive government data.
Defense and Health Agencies Also Weigh In
Officials from the Defense Criminal Investigative Service (DCIS) and Health and Human Services Office of Inspector General (HHS-OIG) also voiced their concern.
They said that any failure to meet cybersecurity standards could lead to serious consequences, particularly when dealing with genomic data and military research systems.
“Protecting the validity of Department of Defense data is essential to supporting our military personnel,” said DCIS’s Christopher Silvestro.
Meanwhile, Roberto Coviello from HHS-OIG emphasized the risks posed by insecure health tech systems.
Whistleblower Gets Reward for Flagging the Issue
The lawsuit was originally brought under the False Claims Act’s whistleblower provisions, which allow private individuals to sue on behalf of the government.
In this case, Erica Lenore, a former Director at Illumina, stepped forward with insider knowledge about the company’s cybersecurity shortfalls.
As part of the settlement, she will receive $1.9 million for her role in exposing the issue.
Behind the Scenes of the Government’s Investigation
This resolution was the result of a combined effort from several federal departments.
The Justice Department’s Civil Division, the U.S. Attorney’s Office in Rhode Island, and investigative arms from the Army, Commerce, Defense, and HHS all worked together to build the case.
The lead investigation was handled by Trial Attorney Erin Colleran and Acting U.S. Attorney Sara Bloom, who helped push the case to its final conclusion.
No Admission of Guilt—But a Serious Wake-Up Call
While Illumina has agreed to the settlement, it’s worth noting that the company hasn’t admitted to any wrongdoing.
These were allegations only, and there has been no legal finding of liability.
Still, the message is loud and clear: When it comes to handling sensitive data—especially genomic data linked to government operations—cybersecurity can’t be an afterthought.