DOJ Sets Its Cyber FCA Sights on Medical Device Companies

On July 31, 2025, the U.S. Department of Justice (DOJ) announced its first-ever (to our knowledge) cyber FCA settlement involving a medical device company. The case demonstrates the potential FCA risk to cybersecurity representations tied to product design and functionality. Illumina Inc. agreed to pay $9.8 million to resolve FCA allegations that it sold genomic sequencing systems with software containing cybersecurity vulnerabilities to a host of federal government agencies, including the U.S. Health and Human Services Department, the U.S. Department of Veteran Affairs, the National Aeronautics and Space Administration, the U.S. Army, the U.S. Navy, the U.S. Air Force, the U.S. Department of Homeland Security, and even the Smithsonian Institution.

Notably, and a common theme in most of the recent cyber FCA settlements, DOJ did not allege that any of the vulnerabilities resulted in an actual breach or exfiltration of data. Instead, the government focused on alleged misrepresentations about compliance with cybersecurity standards and failures to address known product security gaps.

The settlement was predated by a qui tam complaint filed by Illumina’s former Director for Platform Management, On-Market Portfolio, who will receive $1.9 million of the settlement amount as her relator’s share. According to her complaint, she had raised cybersecurity concerns internally, including with the Compliance Department, which opened an investigation, but she was ultimately terminated. Her complaint focused on allegations that Illumina failed to meet the U.S. Food and Drug Administration’s (FDA) Quality System Regulation (QSR) requirements related to design controls, corrective and preventative action, and management.

In contrast to the complaint, the conduct that is covered in the settlement agreement (the “covered conduct”) with DOJ does not reference the QSR or any FDA regulation. Rather, DOJ alleges that Illumina’s claims for payment to the various government agencies for the genomic sequencing systems were false because of several deficiencies tied to product cybersecurity, including that the company had:

• Falsely represented that certain software adhered to cybersecurity standards, citing both the International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST)
• Knowingly failed to incorporate product cybersecurity into software design, development, installation, and marketing
• Failed to adequately resource personnel, systems, and processes tasked with product security
• Failed to correct or remediate design features that introduced cybersecurity vulnerabilities into its systems

Interestingly, the settlement agreement does not identify which ISO or NIST standards were allegedly violated (e.g., ISO 27001, NIST SP 800-53). This lack of specificity stands in contrast to other recent cyber FCA settlements, which have expressly referenced NIST 800-171 (and, less often NIST SP 800-53). This causes us at Qui Notes to question why no specific standard was specified here, creates ambiguity around the precise deficiencies DOJ viewed as material, and leaves companies and counsel guessing at the contours of DOJ’s expectations in this space.

Looking Ahead

While it’s possible that this recent settlement could be a one-off, our money is on this being the first of other cyber FCA settlements involving medical device companies. With DOJ’s Civil Cyber-Fraud Initiative picking up speed over the last two years, we expect that cybersecurity representations in contracts, regulatory submissions, and in product design, will remain an enforcement focus. 

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.