Cybersecurity: Beware the False Claims Act
by
August 14, 2025
Last month, the DOJ announced a settled enforcement action against Illumina arising out of the sale of certain genetic sequencing systems to the federal government that contained cybersecurity vulnerabilities. The DOJ alleged that Illumina’s sale of these products to the government with these vulnerabilities violated the False Claims Act, and Illumina agreed to pay $9.8 million to resolve the DOJ’s allegations.
This excerpt from the D&O Diary’s blog about the Illumina settlement says that companies need to raise their consciousness about the False Claims Act when it comes to cybersecurity risks:
The DOJ’s news release about the settlement quotes one government official as saying that “Companies that sell products to the federal government will be held accountable for failed to adhere to cybersecurity standards and protecting against cybersecurity risks,” and as saying further that the settlement underscores “the Department’s commitment to ensuring that federal contractors adhere to requirements to protect sensitive information from cyber threats.”
The government’s pursuit of the claims against Illumina shows that among the risks companies may face as a result of cybersecurity vulnerabilities is the risk of potential governmental enforcement action under the False Claims Act. The government’s actions show that companies now face not only the risks of traditional regulator enforcement, but also, as the [Skadden] memo puts it, “from alleged failures to meet cybersecurity standards – particularly where those failures result in false representations to the government.”
The message of this case is that companies may need to expand their view of what constitutes cybersecurity risk. At a minimum, it is clear that corporate cybersecurity risk may now include potential False Claims Act liability for cybersecurity vulnerabilities in their products.
It’s worth noting that the Illumina settlement follows on the heels of a May 2025 False Claims Act settlement with Raytheon and Nightwing under which the companies agreed to pay $8.4 million to resolve claims arising out of their alleged non-compliance with contractual cybersecurity provisions in connection with the sale of certain products to the government.