Cybersecurity and the FCA: Illumina Signals "No Breach" Enforcement Risks

A $9.8 million False Claims Act (FCA) settlement between Illumina Inc. and the U.S. Department of Justice (DOJ) is unique among cybersecurity enforcement actions because it didn’t result from a data breach, but, according to DOJ allegations, inadequate cybersecurity

The settlement is a one of the first FCA resolutions involving cybersecurity-related allegations against a medical device manufacturer, and, as we contemplated when the DOJ announced this initiative, it may confirm a new trend in enforcement.

The DOJ continues to expand use of the implied certification theory of liability, a framework solidified by the U.S. Supreme Court in Universal Health Services v. Escobar (2016). For companies regulated by the Food and Drug Administration (“FDA”), this settlement confirms that a failure to implement cybersecurity standards meeting FDA regulatory expectations may lead to FCA liability, even in the absence of a cybersecurity breach or explicitly misleading statement.

“Device manufacturers should take note: the government has shown it is willing to pursue lax cybersecurity programs aggressively," says Paul Rothermel, Gardner's compliance and privacy expert.

Understanding the Allegations

The DOJ alleged that Illumina:

• Failed to incorporate cybersecurity into the design, development, installation, and marketing of software-enabled medical devices;
• Did not adequately support product security teams or correct known vulnerabilities; and
• Misrepresented compliance with FDA cybersecurity requirements over a seven-year period (2016–2023).

Importantly, the complaint did not allege any confirmed cybersecurity breach or patient harm. Instead, the government’s theory of liability was based on misrepresentations—or omissions—regarding compliance with cybersecurity standards that were deemed material to federal reimbursement. See United States ex rel. Lenore v. Illumina Inc., 1:23-cv-00372 (D.R.I.).

Of the $9.8 million settlement, $4.3 million was designated as restitution. The whistleblower who filed the initial complaint received $1.9 million.

What is the FCA?

The FCA was enacted to protect the government from being over-charged or paying for unnecessary goods or services, including paying for goods or services that would not have been paid but for a false claim. 31 U.S.C. § 3729-3733, 18 U.S.C. § 287. Under the FCA, it is illegal to knowingly present, or cause to be presented, a false claim for payment or approval; or to knowingly make, use, or cause to be made or used, a false record or statement material to a false or fraudulent claim. Violators may face both civil and criminal liability under the FCA. Critical to the FCA is its qui tam provisions, which allow private individuals (i.e., whistleblowers), such as company insiders, to file suit for violations of the FCA. The federal government then has the option to join the suit.

The Role of Implied Certification

The DOJ leaned on the implied certification doctrine, which holds that a claim for federal payment can be considered false or fraudulent if the claimant (in this case, Illumina) impliedly certifies compliance with legal or regulatory requirements that are material to the government’s payment decision.

In Universal Health Services v. Escobar, the Supreme Court ruled that:

• When a company submits a claim for payment and fails to disclose noncompliance with material statutory, regulatory, or contractual requirements, the omission can give rise to FCA liability;
• For the omission to be actionable, compliance must be a “condition of payment,” and the misrepresentation must be “material” to the government’s decision to pay.

In the Illumina matter, the DOJ argued that by marketing and selling devices into federally reimbursed settings, Illumina implied compliance with FDA cybersecurity requirements, and therefore the company falsely certified its eligibility for payment. The alleged misalignment between internal cybersecurity practices and these implied external representations created the basis for FCA enforcement, even without any affirmative false statements or known security incident.

A Shift in Enforcement Strategy

This settlement provides additional insight into how the government will apply the FCA to drug and device manufacturers:

• Cybersecurity deficiencies in products and services present FCA risk, even without explicit statements and representations, including where products are reimbursed but not sold directly to federal programs.
• Failure to meet FDA standards for product security, including regarding protection of sensitive patient information as a link to product safety, can be material under the FCA, regardless of whether a breach occurs.
• Software vulnerabilities, if unaddressed, may be treated as evidence of a broader failure in a manufacturer’s quality system and regulatory obligations.

This expanded view of materiality builds on prior DOJ positions and extends them into the domain of FDA-regulated medical technology.

What Manufacturers Should Do Now

To mitigate risk under this evolving enforcement landscape, companies should consider implementing a robust cybersecurity program, including:

1. Reassess Cybersecurity Programs and Quality System Scope and Comprehensiveness: Ensure that cybersecurity is adequately addressed in the company’s quality system procedures, IT infrastructure, and software development processes, particularly those governing design controls, CAPA, and postmarket surveillance. Vulnerabilities in all aspects of the product, including IT infrastructure, networks, and software, must be addressed.
2. Strengthen Secure Development Practices: Confirm that the software development lifecycle (SDLC) includes secure coding standards, formal threat modeling, risk-based testing, and patch deployment protocols.
3. Review Submissions and Certifications: Evaluate whether regulatory submissions (e.g., 510(k)s, PMAs), agreements, and any promotional materials contain explicit or implied statements regarding cybersecurity, including references to national or international standards or frameworks (such as NIST, ISO, HITRUST, SOC, or others). Unsupported claims may create FCA risk.
4. Implement a Coordinated Vulnerability Disclosure (CVD) Program: Companies should have clear processes for receiving, evaluating, and addressing reports from external security researchers. The FDA expects these pathways to be defined and operational.

What Comes Next

The Illumina case is likely the first of many, particularly given the incentive for whistleblowers. It illustrates a growing trend in which:

• Cybersecurity obligations are treated as enforceable components of FDA compliance;
• Statements or omissions in regulatory submissions or marketing materials may trigger liability;
• DOJ is willing to pursue FCA actions based on regulatory misalignment, even without evidence of actual harm.

Life sciences companies would be well served to evaluate the sufficiency of their current product security programs and how those programs are reflected in documentation, systems, and public-facing representations.

How Gardner Law Can Help

Gardner Law works with companies at all stages of the product lifecycle to help align cybersecurity programs, quality systems, and regulatory submissions with FDA, HIPAA, GDPR, and other applicable legal and cybersecurity frameworks. The firm’s attorneys have deep experience helping clients reduce risk through practical, actionable guidance.

To assess whether your current cybersecurity program meets current regulatory expectations or to evaluate potential risk under the FCA’s implied certification doctrine, contact Gardner Law.