What happened
The DOJ announced that Illumina Inc. will pay $9.8 million plus interest to settle allegations that the company misrepresented compliance with federal cybersecurity requirements for medical device software. The settlement resolves a whistleblower suit brought under the False Claims Act by a former Illumina employee, which the government later joined.
The complaint alleged that from January 2016 to April 2023, Illumina failed to incorporate adequate cybersecurity into the design, development, installation, and marketing of certain products used for research and clinical purposes. According to the relator, the company also failed to maintain adequate product security programs, correct known cybersecurity vulnerabilities, or provide sufficient support for personnel and systems tasked with product security. During this period, Illumina allegedly certified to the FDA that its products complied with applicable cybersecurity requirements despite these deficiencies.
Under the settlement terms, Illumina will pay $4.3 million in restitution as part of the total $9.8 million resolution. The relator will receive $1.9 million of the settlement proceeds.
Going deeper
This case marks the first FCA settlement focused specifically on alleged failures to meet cybersecurity requirements for medical devices, and it proceeded without allegations of an actual breach. The DOJ's theory of liability rested on false representations of compliance and inadequate internal controls to detect and remediate vulnerabilities.
What was said
Assistant Attorney General Brett A. Shumate of the Justice Department's Civil Division said, "Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks. This settlement underscores the importance of cybersecurity in handling genetic information and the Department's commitment to ensuring that federal contractors adhere to requirements to protect sensitive information from cyber threats."
Special Agent in Charge Roberto Coviello of the HHS Office of Inspector General added, "Significant damage can result from a failure to adhere to required cybersecurity standards, especially when the systems involved include sensitive genomic data. HHS-OIG and our law enforcement partners remain dedicated to ensuring that entities who do business with the government uphold their cybersecurity obligations."
In the know
The FDA has heightened its regulatory expectations for cybersecurity in medical devices. Under Section 524B of the Federal Food, Drug, and Cosmetic Act, which took effect on March 29, 2023, manufacturers of "cyber devices" must include detailed cybersecurity information in premarket submissions. Cyber devices are broadly defined as those that include software, can connect to the internet, and could be vulnerable to cybersecurity threats.
Why it matters
This settlement establishes a precedent for healthcare technology companies by demonstrating that the DOJ will pursue False Claims Act cases for cybersecurity compliance failures even without evidence of an actual data breach. Medical device manufacturers now face dual enforcement risk from both FDA regulatory action and DOJ criminal prosecution for the same cybersecurity deficiencies.
The case signals that companies can no longer treat cybersecurity certifications to federal agencies as routine paperwork. The DOJ proved it will scrutinize whether companies actually implement the controls they certify as being in place, creating potential liability for any gaps between representations and reality.
The bottom line
Medical device manufacturers must treat cybersecurity compliance as both a regulatory and legal imperative, with documentation to support any certifications made to federal agencies. Companies should conduct immediate gap analyses of their cybersecurity controls against FDA requirements and ensure all representations accurately reflect their actual security posture to avoid similar enforcement action.
FAQs
What is the False Claims Act and how does it apply to cybersecurity compliance?
The False Claims Act allows the government to pursue entities that submit false claims for federal funds, including false certifications of cybersecurity compliance.
How can whistleblowers trigger government action under the False Claims Act?
Whistleblowers can file lawsuits on the government’s behalf when they believe an organization has misrepresented compliance, potentially leading to DOJ intervention.
Does the DOJ need evidence of an actual cyber breach to pursue an FCA case?
No, the DOJ can act based solely on false claims of compliance without proof of a data breach.
What kinds of products qualify as “cyber devices” under the FDA’s definition?
Cyber devices include those with software, internet connectivity, and potential vulnerability to cyber threats.
What role does the FDA play in enforcing cybersecurity in medical devices?
The FDA sets premarket submission requirements for cybersecurity and can take regulatory action against noncompliant manufacturers.
