What Does a DOJ Settlement Have in Common with a Good Book? They Both can Change Your Life*

The authors of this post are both avid bibliophiles, and keenly appreciate the hook of a good title or first sentence that draws you right in. Usually the titles of government press releases do not share this allure, but there was one recently that caught our attention. On July 31, 2025, the Department of Justice (DOJ) issued a press release titled: “Illumina Inc. to Pay $9.8M to Resolve False Claims Act Allegations Arising from Cybersecurity Vulnerabilities in Genomic Sequencing Systems.”  Since most settlements with the government stem from actual harm caused, we found the word “vulnerabilities” of particular interest, and knew we needed to settle in to read more.

The allegations, brought to DOJ’s attention by a qui tam relator, state that from February 2016 through September 2023 Illumina submitted or caused to be submitted false claims to a variety of federal government agencies, including DOJ, Department of Health and Human Services, Department of Veterans Affairs, and others, for payment for the purchase of certain of Illumina’s genomic sequencing systems. The punchline of the settlement may be the following: “The United States contends that the claims to the Agencies were false, regardless of whether any actual cybersecurity breaches occurred, because the [genomic sequencing systems’] software had cybersecurity vulnerabilities, and Illumina did not have an adequate product security program and sufficient quality systems to identify and address cybersecurity vulnerabilities affecting the [] software.” (Emphasis added.)

Like a line out of a good Stephen King novel, this sentence should put fear in the heart of any company that manufactures software-reliant medical devices sold to the government. And just like that Stephen King novel, you need to keep reading to find out more.

It turns out that DOJ’s position was not merely based on the presence of potential “vulnerabilities,” but rather on its finding that “Illumina knowingly failed to incorporate product cybersecurity in its software design, development, installation, and on-market monitoring; failed to properly support and resource personnel, systems, and processes tasked with product security; failed to adequately correct design features that introduced cybersecurity vulnerabilities in the genomic sequencing systems; and  falsely represented that the software on the genomic sequencing systems adhered to cybersecurity standards, including standards of the International Organization for Standardization and National Institute of Standards and Technology.”

Even with all that, and even assuming some part of the allegations are true, it is still startling that these actions, which appear to be violations of FDA’s Quality System Regulation, led to a seven-figure settlement. Notably, there is no discussion of FDA requirements, quality system or otherwise, just general references to “cybersecurity standards” and “cybersecurity obligations.”

So what does this mean for medical device companies moving forward? Perhaps not much, beyond additional focus on complying with the already-existing cybersecurity requirements. While not explicitly stated, it stands to reason that, given this administration’s focus on national security, this particular settlement may stem from potential threats to national security that could be presented by cybersecurity “vulnerabilities” and really has very little, if anything, to do with FDA requirements more broadly. As DOJ states in its press release, the concerns here related to protecting “sensitive information from cyber threats,” “combat[ing] cybersecurity risks,” and the consequences that may stem “from a failure to adhere to required cybersecurity standards, especially when the systems involved include sensitive genomic data.”

It is worth comparing this settlement with earlier cases involving alleged violations of drug good manufacturing practices, like United States ex rel. Rostholder v. Omnicare, Inc., No. 12-2431 (4^th Circ. Feb. 21, 2014).  Courts have rejected False Claims Act theories based solely on alleged regulatory violations, noting that the FCA is not “a sweeping mechanism to promote regulatory compliance.”   The focus in those cases was that compliance with the current good manufacturing practice (cGMP) regulations was not material to payment by Medicare and Medicaid.  Although “the correction of regulatory problems is a worthy goal,” such a theory is “not actionable under the FCA in the absence of actual fraudulent conduct.”

While the Illumina settlement is not necessarily an indicator that DOJ is interested in going after medical device companies simply for QSR violations, a company’s quality management system and its cybersecurity are inextricably linked. The one thing that is certain from this settlement is that if you have a medical device with software (and let’s be honest, these days, that describes most of them), you should review your cybersecurity risk management plan, assess any potential vulnerabilities, and implement necessary mitigations. You don’t want to be the lead character of the sequel.

* Credit to Helen Exley for the quote, “Books can be dangerous. The best ones should be labeled ‘This could change your life.’”