Biotech firm Illumina settles false claims case for $9.8M • The Register

Biotech firm Illumina has agreed to cut the US government a check for the eminently affordable amount of $9.8 million to resolve allegations that it has been selling the feds genetic testing systems riddled with security vulnerabilities the company knew about but never bothered to fix.

The Justice Department announced the deal on Thursday, settling whistleblower allegations that the company had been selling knowingly-insecure DNA testing devices to the government for more than seven years. Over the course of that time, Illumina submitted countless invoices to government agencies requesting payment for devices it had claimed met cybersecurity standards but which didn’t, and therein lies the crime: Illumina allegedly submitted false claims.

“Significant damage can result from a failure to adhere to required cybersecurity standards, especially when the systems involved include sensitive genomic data,” Special Agent in Charge Roberto Coviello of the U.S. Department of Health and Human Services Office of Inspector General said in a release about the settlement. 

According to the original complaint [PDF], filed in 2023, Illumina systems themselves store confidential patient genetic test results, and the lack of compliance with security regulations by ignoring known issues means that data could have been compromised. However, there’s no indication in the complaint of any data exfiltration. 

Regardless, the DoJ alleged in 2023 that Illumina “completely disregarded [cybersecurity] requirements in its race to develop and maintain control of the global genetic testing market” by allowing a number of known issues to ship on production devices. 

Don’t go thinking that Illumina is some two-bit player, either. According to the complaint, the company already controls over 80 percent of the global genetic testing market, meaning chances are good that, if you’ve ever had genetic testing done at a hospital, your tests have been performed on an Illumina machine. 

The complaint singles out several problems, including giving improper elevated privileges on user accounts, hardcoding user credentials stored on devices, and failing to mitigate insider threats. Two recalls mentioned in the complaint, one in 2022 and the other in April 2023, apparently involved the same software problem, which the DoJ noted continued to be unresolved at the time of its complaint in September 2023.

“Illumina products currently on the market continue to contain material cybersecurity vulnerabilities, which threaten the integrity of the testing data produced by the products and compromise patient confidentiality,” the DoJ said in 2023. “This case is precisely the type of fraud scheme that the U.S. Department of Justice seeks to remedy under the False Claims Act through its Civil Cyber-Fraud Initiative.” 

Illumina naturally made no admission of guilt to the government’s allegations, telling The Register that it agreed to settle the case “to avoid the uncertainty, expense and distraction of litigation,” a common refrain in such situations. Illumina added that the allegations pertained to software issues that it had fixed between 2022 and 2024.

“Government agencies are important customers and Illumina values these relationships,” a company spokesperson told us in an email. “Illumina takes data security seriously and has invested significantly in its programs to align with cybersecurity best practices for the development and deployment of our products. We are pleased to put this matter behind us.” 

Not one to question their commitment to being security forward, we still feel the need to address another cybersecurity issue the company had that wasn’t mentioned in the lawsuit. 

We reported in January that Illumina iSeq 100 DNA sequencing machines had shipped with a six-year old BIOS that was vulnerable to malware, ransomware, and being bricked. The devices came with Secure Boot disabled and had nothing in the way of firmware protections, allowing anyone to modify their underlying code without detection. Illumina told us in January that it had established an oversight and accountability process to prevent such things from happening again.

The payment shouldn’t make much of a dent in Illumina’s business. According to the complaint, Illumina’s many government contracts for hardware, software, and service have earned it “at least hundreds of millions of dollars” over the years. The company, which is due to report earnings after the bell Thursday, netted $131 million in the first quarter of 2025. ®