Tycko & Zavareei LLP: Cybersecurity Whistleblower receives $1.9 Million Reward of Nearly $10 Million False Claims Act Qui Tam Case Against a Biotechnology Company
WASHINGTON, July 31, 2025 /PRNewswire/ -- After receiving a Whistleblower complaint on September 8, 2023, the United States Department of Justice investigated and resolved a False Claims Act qui tam whistleblower lawsuit against Illumina, Inc., an American publicly traded biotechnology company, which develops and manufactures products related to genetic testing and research. A copy of the Whistleblower (Relator) Team's complaint is here. A copy of the Department of Justice settlement agreement is here. A link to the Department of Justice press release is here.
This is a first-of-its kind case involving alleged cybersecurity violations of medical devices that are regulated by the U.S. Food and Drug Administration (FDA) and used for both research and clinical purposes for patients. This settlement is a primary example of the United States' expansion of cybersecurity enforcement to the healthcare industry, which is entrusted with highly confidential patient data.
This settlement between the United States and Illumina stemmed from allegations that Illumina knowingly:
- failed to incorporate product cybersecurity in its software design, development, installation, and on-market monitoring;
- failed to properly support and resource personnel, systems, and processes tasked with product security;
- failed to adequately correct design features that introduced cybersecurity vulnerabilities in its Genomic Sequencing Systems; and
- falsely represented that the LRM and UCS software on the Genomic Sequencing Systems adhered to ISO and NIST cybersecurity standards.
False Claims Act liability was alleged even regardless of whether any actual cybersecurity breaches occurred, because certain software had cybersecurity vulnerabilities, and Illumina did not have an adequate product security program and sufficient quality systems to identify and address cybersecurity vulnerabilities affecting the software at issue.
The whistleblower, also known as a qui tam relator, was a former employee of Illumina. The case highlighted the critical role whistleblowers play in disclosing to the U.S. Department of Justice known cybersecurity failures at their place of work. According to the Department of Justice, "[w]hen companies that do business with the government knowingly make misrepresentations about their own cybersecurity practices, or when they fail to abide by cybersecurity requirements in their contracts, grants or licenses, the government does not get what it bargained for." And "when false assurances are made to the government, sensitive government information and systems may be put at risk without the government even knowing it."
Acting United States Attorney for the District of Rhode Island Sara Miron Bloom and U.S. Department of Justice Civil Frauds Trial Attorney Erin Colleran are responsible for this important resolution. Whistleblower attorneys Renée Brooker and Eva Gunasekera represented the relator with support from qui tam attorneys Jaclyn S. Tayabji, Marika K. O'Connor Grant, and qui tam paralegal Emma Schilp of Tycko & Zavareei LLP. Employment lawyer Cecilia Brennan, Managing Partner of HKM Employment LLP's San Diego and Irvine offices also co-represented the Whistleblower on her employment claims. This settlement exemplifies the success of the False Claims Act public-private partnership between the U.S. Department of Justice and Whistleblowers to hold corporate America accountable for known-but-unmitigated cybersecurity failures that impact government programs and taxpayer funds.
If you believe you may have knowledge of any of the conduct below, the Department of Justice is interested in speaking with you. You can contact the Whistleblower Attorneys who handled this case for a free consultation at reneebrooker@tzlegal.com or eva@tzlegal.com. You can also go to Tycko & Zavareei LLP's website for whistleblowers to learn more here.
The Department of Justice Civil Cyber-Fraud Initiative is looking for employees (or other insiders) with knowledge and will hold accountable organizations that put U.S. information or systems at risk by:
- knowingly providing deficient cybersecurity products or service:
- knowingly misrepresenting their cybersecurity practices or protocols, or
- knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
View original content:SOURCE Tycko & Zavareei LLP