San Diego, CA – [Date] — Biotechnology company Illumina Inc. has agreed to pay $9.8 million to settle a landmark cybersecurity qui tam lawsuit brought under the False Claims Act, the U.S. Department of Justice announced. The resolution addresses allegations that Illumina violated federal cybersecurity requirements related to medical devices used in research and clinical settings.
The lawsuit was originally filed in September 2023 by whistleblower Erica A. Lenore, a former employee of Illumina. Lenore alleged that the company failed to incorporate sufficient cybersecurity measures into its software and systems, misrepresenting compliance with FDA standards from February 2016 to September 2023. The government intervened in the case earlier this month.
According to the complaint, Illumina’s software design, development, and marketing practices left critical vulnerabilities unaddressed and lacked adequate security protocols. While no confirmed breaches were reported, the DOJ alleged that the vulnerabilities themselves, along with systemic failures to identify and remediate them, were grounds for False Claims Act liability.
As part of the settlement, Lenore will receive $1.9 million of the total amount. The agreement also includes $4.3 million in restitution, with interest accruing at 4.33% beginning March 6, 2025, until full payment is made.
“False Claims Act liability was pursued even without a specific breach, emphasizing that the failure to implement sufficient product security can carry serious legal consequences,” said Renée Brooker, one of Lenore’s attorneys at Tycko & Zavareei LLP. “This settlement signals a strong federal commitment to cybersecurity enforcement in the healthcare sector.”
In a statement, Illumina denied the allegations but acknowledged the settlement as a step to avoid prolonged litigation:
“We have agreed to resolve this matter to avoid the uncertainty, expense, and distraction of legal proceedings. The software issues at the center of the case were successfully remediated between 2022 and 2024.”
The company emphasized its ongoing commitment to data protection, stating, “Illumina takes data security seriously and continues to align with cybersecurity best practices to serve our customers, including government agencies such as the FDA.”
Lenore also claims she was retaliated against and ultimately fired for raising concerns about the company’s practices during her tenure.
The case, United States of America v. Illumina Inc., case number 1:23-cv-00372, was filed in the U.S. District Court for the District of Rhode Island.