Federal authorities imposed a $9.8 million penalty on genomic sequencing giant Illumina for selling DNA analysis devices with known cybersecurity vulnerabilities to government agencies between 2016 and 2023. The settlement, reached under the False Claims Act, addresses allegations that the company provided genomic sequencers to federal customers even as they failed to meet required cybersecurity standards.
Illumina faces $9.8 million penalty for knowingly selling cybersecurity-vulnerable DNA sequencers to federal agencies over seven years.
The devices contained software vulnerabilities that could allow unauthorized access to sensitive genetic and health data processed by defense and health agencies. Illumina’s products lacked cybersecurity built into their design and development phases, even as the company failed to provide adequate security updates post-sale.
Internal teams and processes proved insufficient to identify and remediate software weaknesses, resulting in systems that did not comply with federal cybersecurity standards established by NIST and ISO. Government investigators determined that Illumina allegedly misrepresented compliance status to qualify for federal contracts, submitting false claims that devices met security and safety requirements. The average data breach cost of $4.35 million makes such security lapses particularly concerning for federal agencies.
The genomic sequencing equipment processes extremely private genetic and health data in critical sectors, raising concerns about potential exposure of confidential information belonging to federal employees and patients. Specific security flaws included hardcoded user credentials and other fundamental vulnerabilities that could compromise system integrity. Although no direct evidence of data exfiltration emerged, the vulnerabilities potentially left sensitive information vulnerable to compromise.
The case originated from a whistleblower complaint filed in 2023, triggering investigations by multiple federal agencies including the Department of Defense and Health and Human Services. Former Illumina senior manager Erica Lenore will receive $1.9 million as a reward for her role in uncovering the cybersecurity violations. Illumina denied wrongdoing throughout the process, and the settlement resolves allegations without admission of liability by the company.
The penalty represents a fraction of Illumina’s revenue from hundreds of millions in federal contracts. Reports indicate the company continues selling devices with recognized vulnerabilities as of July 2025, notwithstanding the settlement.
Federal authorities highlighted the case sends a broader compliance message to other medical device and biotechnology companies handling sensitive genomic and patient data. The settlement emphasizes growing regulatory scrutiny over cybersecurity standards for companies processing highly sensitive genetic information within federal systems, particularly those serving defense and healthcare agencies managing classified research and personal health records.
