Federal authorities accept a settlement of $9.8 million from Gene Scanner Corporation, resolving security concerns and allegations.

Federal authorities accept a settlement of $9.8 million from Gene Scanner Corporation, resolving security concerns and allegations.

In a landmark decision, biotech giant Illumina has agreed to pay $9.8 million to settle allegations that it disregarded cybersecurity requirements in its pursuit of the global genetic testing market. The settlement, announced by the US Department of Justice (DOJ) on Thursday, marks the first-of-its-kind enforcement targeting cybersecurity failures in FDA-regulated medical devices within the biotechnology and healthcare sectors.

The DOJ alleged that Illumina knowingly failed to incorporate adequate cybersecurity measures into its product design, development, installation, and ongoing monitoring. The allegations stem from the period between 2016 and 2023, during which Illumina sold genomic sequencing systems to government agencies that had significant software security flaws.

The allegations included specific issues such as improper elevated user account privileges, hardcoded user credentials on devices, and insufficient protection against insider threats. Despite two recalls in 2022 and 2023 aimed to address these problems, vulnerabilities persisted in products on the market, posing risks to the integrity of genetic test data and the confidentiality of patient information.

The original complaint, filed in 2023, stated that Illumina systems store confidential patient genetic test results, and the lack of compliance with security regulations could have led to data compromise. However, there's no indication in the complaint of any data exfiltration.

Illumina controls over 80% of the global genetic testing market, and its many government contracts for hardware, software, and service have earned it "at least hundreds of millions of dollars" over the years. The settlement amount of $9.8 million is not expected to make a significant impact on Illumina's business, as the biotech firm netted $131 million in the first quarter of 2025.

In a statement, Illumina valued its relationships with government agencies and took data security seriously. The company claimed that it fixed software issues related to the allegations between 2022 and 2024. However, the settlement between Illumina and the government did not include an admission of guilt from Illumina.

In response to the allegations, Illumina established an oversight and accountability process to prevent such issues from happening again. The company also agreed to pay $1.9 million to a whistleblower who was a former Illumina employee and played a key role in exposing the issues.

The DOJ's settlement with Illumina was under its Civil Cyber-Fraud Initiative, which aims to remedy fraud schemes that threaten national security. The settlement highlights several problems, including improper elevated privileges on user accounts, hardcoding user credentials stored on devices, and failing to mitigate insider threats.

Significant damage can result from a failure to adhere to cybersecurity standards, especially when systems involve sensitive genomic data. According to the U.S. Department of Health and Human Services Office of Inspector General, a failure to adhere to cybersecurity standards can lead to potential breaches, compromising the privacy and security of patients' sensitive health information.

In conclusion, Illumina faced serious government action due to known and unresolved cybersecurity vulnerabilities in its genomic sequencing systems sold to federal agencies, leading to a significant settlement under the False Claims Act for falsely representing product cybersecurity standards and deficiencies in addressing cybersecurity risks throughout the product lifecycle.

1. The settlement between Illumina and the US Department of Justice (DOJ) under their Civil Cyber-Fraud Initiative stresses the importance of adhering to cybersecurity standards, especially in technology sectors like healthcare and biotechnology that handle sensitive data such as genomic information.
2. The allegations against Illumina, a major player in the health-and-wellness market, included specific cybersecurity failures such as improper elevated user account privileges, hard-coded user credentials on devices, and insufficient protection against insider threats.
3. The DOJ's settlement with Illumina serves as a warning for companies, emphasizing the potential consequences of disregarding cybersecurity regulations, particularly those involving FDA-regulated medical devices and software.
4. The agreement also underscores the serious implications of cybersecurity failures in the context of artificial intelligence (AI) and the Internet of Things (IoT), as vulnerabilities in genomic sequencing systems can pose risks to the integrity of genetic test data and the confidentiality of patient information.
5. In response to the allegations, the science community should aim to strengthen cybersecurity frameworks, ensuring both hardware and software components of healthcare technology adhere to rigorous standards to prevent data breaches and protect patient privacy.

Read also: