DOJ Secures First of Its Kind Cybersecurity False Claims Act Settlement

On July 30, 2025, the U.S. Department of Justice (DOJ) announced that biotechnology company Illumina Inc. agreed to pay $9.8 million plus interest to resolve allegations of misrepresenting compliance with federal cybersecurity requirements for medical device software.

DOJ Secures First of Its Kind Cybersecurity False Claims Act Settlement

On July 30, 2025, the U.S. Department of Justice ("DOJ") announced that biotechnology company Illumina Inc. agreed to pay $9.8 million plus interest to resolve allegations that it misrepresented compliance with federal cybersecurity requirements for medical device software. The settlement resolves a whistleblower suit brought under the False Claims Act ("FCA") by a former Illumina employee, in which the government later intervened.

The complaint alleged that, from January 2016 to April 2023, Illumina failed to incorporate adequate cybersecurity into the design, development, installation, and marketing of certain products used for research and clinical purposes. According to the relator, Illumina also failed to maintain adequate product security programs, correct known cybersecurity vulnerabilities that created vulnerabilities, or provide sufficient support for personnel and systems tasked with product security. During this period, the company allegedly certified to the U.S. Food and Drug Administration ("FDA") that its products complied with applicable cybersecurity requirements despite these deficiencies.

Under the terms of the settlement, Illumina will pay $4.3 million in restitution as part of the total $9.8 million resolution. The relator will receive $1.9 million of the settlement proceeds. Illumina has denied the allegations but stated that it agreed to resolve the matter to avoid the uncertainty, expense, and distraction of litigation. The company emphasized that it remediated the identified software issues between 2022 and 2024 and reaffirmed its commitment to data security and its relationships with government customers.

Growing DOJ Cybersecurity FCA Enforcement

The Illumina resolution is notable because it is the first FCA settlement focused on alleged failures to meet cybersecurity requirements for medical devices—and it proceeded without allegations of an actual breach. The DOJ's theory of liability rested on false representations of compliance and inadequate internal controls to detect and remediate vulnerabilities.

This approach reflects a broader DOJ trend of using the FCA to pursue cybersecurity related misrepresentations. Recent examples include:

• MORSECORP, Inc. – On March 26, 2025, a defense contractor agreed to pay $4.6 million to resolve allegations that it failed to implement required NIST SP 800 171 controls under Department of Defense ("DoD") contracts, submitted false Supplier Performance Risk System ("SPRS") scores, and used non-compliant cloud services. The relator will receive approximately $851,000. Office of Public Affairs | Defense Contractor MORSECORP Inc. Agrees to Pay $4.6 Million to Settle Cybersecurity Fraud Allegations | United States Department of Justice.
• Centene Corporation / Health Net Federal Services – On February 18, 2025, these entities agreed to pay $11.25 million to settle allegations that they falsely certified compliance with cybersecurity requirements under TRICARE contracts, failed to perform required vulnerability scanning, and ignored audit and internal warnings. Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice.
• Pennsylvania State University – On October 22, 2024, Penn State agreed to pay $1.25 million to resolve allegations that it failed to meet contractually required NIST SP 800 171 safeguards under DoD and NASA contracts and misrepresented its SPRS scores. Office of Public Affairs | The Pennsylvania State University Agrees to Pay $1.25M to Resolve False Claims Act Allegations Relating to Non-Compliance with Contractual Cybersecurity Requirements | United States Department of Justice 

These matters demonstrate that the DOJ is willing to bring FCA actions over deficient cybersecurity practices and false certifications, even without evidence of a successful intrusion or data loss. The government is placing increased emphasis on whether contractors have implemented the controls they certify as being in place and whether they can substantiate those certifications.

CMMC and Other Federal Cybersecurity Obligations

The Illumina settlement comes as cybersecurity compliance obligations for federal contractors are expanding. The Department of Defense's Cybersecurity Maturity Model Certification ("CMMC") Final Rule took effect on December 16, 2024, and contractors must now comply with the applicable CMMC level required by their contracts.

At Level 1, contractors must implement and annually affirm compliance with 15 safeguarding requirements for Federal Contract Information ("FCI") under FAR 52.204 21. Level 2 applies to Controlled Unclassified Information ("CUI") and requires full implementation of the 110 security controls in NIST SP 800 171, with either a triennial self-assessment or third-party assessment, depending on the program. Level 3 adds the enhanced security requirements in NIST SP 800 172 and requires a government led assessment every three years.

These requirements complement longstanding FAR and DFARS clauses that remain in force. FAR 52.204 21 requires basic safeguarding of FCI. DFARS 252.204 7012 requires implementation of NIST SP 800 171 for CUI, incident reporting, and flow down to subcontractors. DFARS 252.204 7020 gives DoD the right to verify contractor compliance through assessment. DFARS 252.204 7021 will require contractors to maintain a current CMMC certification and flow that requirement to applicable subcontractors.

FDA Cybersecurity Requirements for Medical Devices

In parallel with defense and government contract enforcement, the FDA has heightened its regulatory expectations for cybersecurity in medical devices. Under Section 524B of the Federal Food, Drug, and Cosmetic Act, which took effect on March 29, 2023, manufacturers of "cyber devices" must include detailed cybersecurity information in premarket submissions. Cyber devices are broadly defined as those that (1) include software, (2) can connect to the internet, and (3) could be vulnerable to cybersecurity threats. Pursuant to FDA's final guidance issued in June 2025, sponsors must submit a cybersecurity plan describing processes for postmarket vulnerability management, coordinated vulnerability disclosure, and patch deployment. Additionally, they must maintain a Software Bill of Materials (SBOM) and demonstrate integration of cybersecurity within the device's design, risk management, and quality system processes. These requirements apply to 510(k), De Novo, and PMA submissions and are now a routine focus of FDA premarket review. The FDA emphasizes a risk-based approach, and even in the absence of an actual breach, failure to implement and document robust cybersecurity practices can expose manufacturers to regulatory and enforcement risk.

Practical Considerations for Prime and Subcontractor Compliance

The Illumina matter illustrates that FCA risk can arise not only from cybersecurity incidents but also from inaccurate certifications, incomplete control implementation, and insufficient oversight of product or system security. Contractors should ensure that their cybersecurity programs are comprehensive, documented, and verifiable, and that all representations—whether in proposals, contract deliverables, or periodic certifications—accurately reflect actual practice.

Prime contractors must also ensure that all applicable cybersecurity obligations are flowed down to subcontractors, including those in FAR 52.204 21, DFARS 252.204 7012 and DFARS 252.204 7021, where relevant. Flow down provisions should be coupled with audit rights and verification mechanisms to confirm compliance at lower tier levels, particularly for subcontractors handling CUI.

Contractors should institutionalize governance processes for cybersecurity compliance, provide training to relevant personnel, and maintain internal reporting channels to address potential issues promptly. Where gaps are identified, rapid remediation—accompanied by documentation of corrective action—and, where appropriate, voluntary disclosure can mitigate enforcement exposure.

Additional Takeaways for Medical Device Manufacturers

In light of the Illumina resolution, life sciences companies—particularly medical device manufacturers—should take proactive steps to mitigate risk under the False Claims Act and FDA oversight, including:

• Evaluate Cyber Device Scope: Determine whether existing or pipeline products qualify as "cyber devices" under Section 524B. Devices that include software, even without internet-facing features, may be in scope.
• Update Premarket Submissions: Confirm that cybersecurity documentation in regulatory filings meets FDA's current expectations, including SPDF (Secure Product Development Framework) evidence, threat modeling outputs, SBOMs, architecture views, and coordinated vulnerability disclosure procedures.
• Align Quality Systems: Incorporate cybersecurity controls into quality system processes (e.g., design controls, risk management, software validation, CAPA) to ensure consistency with FDA and DOJ expectations.
• Substantiate FDA Certifications: Before submitting any certification of compliance to FDA or other government agencies, confirm that cybersecurity controls are fully implemented and verifiable. Document gaps and corrective actions where necessary.
• Coordinate Internally Across Legal, Regulatory, and IT Teams: Maintain ongoing cross-functional collaboration to monitor FDA guidance, enforce cybersecurity controls, and update incident response procedures.
• Anticipate Dual Risk Exposure: Recognize that misaligned or outdated cybersecurity practices may simultaneously trigger FDA scrutiny and DOJ enforcement under the False Claims Act—even in the absence of a breach.

Key Takeaway

The DOJ's use of the FCA to enforce cybersecurity requirements is no longer limited to traditional defense contracting and now extends into healthcare and other regulated industries. Contractors and subcontractors should treat cybersecurity compliance as a central contractual and regulatory obligation, backed by robust oversight, documentation, and enforcement of flow down requirements.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}