Categories: Cybersecurity, False Claims Act, Fraud and Abuse, Health Information Technology, Litigation, Medical Devices, Privacy and Security Law, Trump Administration
,

By the third quarter of 2025, the Department of Justice (DOJ) has made plain that it will continue using the False Claims Act (FCA) to advance administration priorities.

While the focus on diversity, equity, and inclusion (DEI)—addressed in our August 8 post—continues to make headlines, DOJ is not taking its eye off cybersecurity. Two settlements announced in late July, totaling approximately $11.5 million, reinforce that noncompliance with cybersecurity obligations can trigger FCA exposure.

Illumina, Inc. Settlement ($9.8 Million)

On July 31, DOJ announced that biotech company Illumina, Inc. agreed to pay $9.8 million to resolve FCA allegations that it sold genomic sequencing systems to multiple federal agencies with software that had cybersecurity vulnerabilities and without adequate product security and quality systems to identify and remediate those vulnerabilities. Specifically, the government alleged that Illumina: (1) failed to incorporate product cybersecurity into software design, development, installation, and on-market monitoring; (2) under-resourced product security personnel, systems, and processes; (3) failed to correct design features that introduced vulnerabilities; and (4) falsely represented adherence to cybersecurity standards, including standards of the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST). 

Notably, the United States asserted in the settlement agreement that the claims for payment were false “regardless of whether any actual cybersecurity breaches occurred” because the software had various cybersecurity vulnerabilities and lacked security programs and quality systems to address vulnerabilities. The relator, a former Illumina director, will receive $1.9 million as her share of the settlement.

Aero Turbine, Inc. Settlement ($1.75 Million)

Also announced on July 31, defense contractor Aero Turbine Inc. and its private equity owner Gallant Capital Partners resolved allegations that the company failed to implement certain NIST controls under a U.S. Air Force contract and improperly provided a foreign software vendor in Egypt with files containing sensitive defense information. The defendants received cooperation credit under DOJ’s FCA guidelines (Justice Manual § 4-4.112) due to how they “provided the government with multiple written self-disclosures, cooperated with the government’s investigation of the issues, and took prompt remedial action.”

Significance of These Cases

  • No breach is required. DOJ asserted in the Illumina settlement agreement that the claims to the agencies were false even absent an actual breach, reinforcing that cyber representations can be material to payment and form the basis for FCA liability. This is a powerful signal for contractors selling software-enabled products into federal environments, as representations about adherence to various standards (e.g., ISO, NIST) can become the backbone of an FCA theory if they are not fully supported across the product lifecycle.
  • Private equity is not insulated. As part of the Aero Turbine resolution, DOJ settled with both the portfolio company and its private equity owner, reflecting DOJ’s continued willingness to reach controlling sponsors when they allegedly influence conduct impacting corporate compliance. Private equity sponsors should consider baking cyber diligence and oversight into portfolio governance.
  • Cooperation credit is real. The Aero Turbine settlement agreement expressly memorializes the basis for cooperation credit under Justice Manual § 4-4.112, a practice DOJ has been moving toward in civil FCA matters. Early, thorough self-disclosure can materially affect outcomes, and having a ready-to run-playbook for self-disclosure and concrete remediation can significantly influence FCA liability.
  • Potential whistleblowers are watching product security. The relator in Illumina (formerly a director overseeing the on-market portfolio at the company) received $1.9 million, underscoring whistleblower incentives around design, resourcing, and lifecycle security of software-enabled products used by government agencies.
  • Companies should expect broader agency interest. Illumina’s settlement involved claims across numerous civilian and defense agencies, reminding vendors that cyber expectations are not confined to Department of Defense contracts.

Epstein Becker Green Staff Attorney Ann W. Parks contributed to the preparation of this post.

Tags: Department of Justice (DOJ), False Claims Act (FCA), FCA
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.