The US Department of Justice’s settlement with Illumina, Inc. is a first-of-its-kind involving alleged cybersecurity deficiencies causing violations of the False Claims Act (FCA) based on FDA quality standards. The cybersecurity framework, typically seen in other industries such as defense contracting, serves as a warning to companies in the life sciences, medtech, and digital health space that DOJ and the whistleblower bar are expanding the scope of this flavor of FCA enforcement and should prepare accordingly.
The Relator’s Complaint
Illumina is a medical device company that produces genetic testing products, otherwise referred to as “genomic sequencing systems.” According to the complaint and settlement, filed in 2023 in the District of Rhode Island, Illumina ignored and failed to mitigate cybersecurity vulnerabilities in its products.
These alleged failures included granting elevated privileges to general users, which allowed for potential access to patient data, exposing credentials of users through the use of “hard coding” items such as usernames and passwords, and failing to mitigate the threat of company “insiders” inappropriately accessing data provided as part of the products.
The relator alleged that these cybersecurity issues were well known to the company, citing to outside sources reporting ransomware attacks to Illumina and the company’s failure to address the vulnerabilities, which ultimately led to multiple product recalls.
The relator takes the position that these alleged cybersecurity issues resulted in Illumina’s failure to comply with certain requirements under FDA’s Quality System Regulation (QSR). Specifically, the complaint cites to FDA’s QSR requirements for design controls and further asserts that FDA recommends that medical device manufacturers implement “comprehensive cybersecurity risk management programs and documentation consistent with the QSR.”
But this alleged regulatory noncompliance, alone, would not be sufficient to establish violations of the FCA. To allege the requisite “hook” to federal funding, the complaint alleges that, because Illumina failed to comply with the requisite regulatory standards, the representations it made as part of its certifications accompanying federal grants and contracts from the National Institutes of Health (NIH) and other agencies were false and thereby rendered the funds Illumina received from the NIH fraudulent under the FCA.
The complaint also attempts to allege that claims to Medicare and Medicaid submitted by third-party laboratory testing companies that used Illumina’s products were similarly false under an implied certification theory.
FCA Cybersecurity Enforcement Enters New Frontier
The settlement shows that DOJ and whistleblowers are beginning to focus FCA enforcement efforts related to cybersecurity in life sciences and medtech. This expansion is not surprising. As DOJ representatives have previously commented, FCA cybersecurity cases, which began in earnest with the DOJ’s Cyber-Fraud Initiative under the Biden administration, have and will remain a fixture of enforcement efforts under the US administration.
But previous enforcement efforts have been largely focused on defense contractors and other recipients of large federal contracts and grants. For example, one of the most recent FCA cybersecurity settlements was with a large public research university for allegedly failing to comply with cybersecurity requirements of contracts with the US Department of Defense (DOD) and the National Aeronautics and Space Administration. Indeed, recent regulatory efforts by the DOD with respect to its Cybersecurity Maturity Model Certification have provided a new source of such potential FCA liability.
Ultimately, the settlement demonstrates that DOJ and whistleblowers are attempting to map the FCA framework involving government contracting and cybersecurity requirements onto life sciences and medtech companies that receive federal funding or develop products or systems used for healthcare services reimbursed under federal programs. The complaint cites to numerous FCA cases and settlements with recipients of DOD contracts for violating cybersecurity requirements to demonstrate that the same principles applied to the allegation against Illumina.
FCA Cybersecurity Application to Life Sciences and Medtech Companies Remains Untested
Stakeholders should not, however, take this settlement to mean that the framework of FCA cases based on cybersecurity requirements is foolproof when applied to life sciences and medtech companies.
In fact, the case raises several questions about the viability of such arguments. For instance, the complaint cites to NIH grants, including the NIST Framework for Improving Critical Infrastructure Cybersecurity, among other government contracts but fails to cite to provisions of these grants and/or contracts that expressly relate to or require a certain level of cybersecurity infrastructure and associated reporting. The complaint does not provide, for example, that these grants and contracts included provisions or certifications involving compliance with QSR requirements for cybersecurity.Further, the complaint’s other theory of liability—that Illumina caused the submission of false claims by third parties to Medicare and Medicaid—similarly does not identify specific certifications made by the third parties with respect to the cybersecurity infrastructure of the products involved with the claims for services.
These theories remain untested in the courts regardless of the settlement, under which Illumina denied the allegation and all liability in connection with the matter.
Key Takeaways
The case and settlement should be a warning that enforcement agencies and whistleblowers may target life sciences, medtech, and digital health stakeholders with FCA claims based on alleged cybersecurity vulnerabilities. Stakeholders should use the settlement as an opportunity to assess their compliance with cybersecurity standards, both voluntary industry guidance and express requirements of government grants and contracts.
But the settlement reveals some key unanswered questions about the legal viability of such allegations, especially with respect to specific claims for services to government healthcare programs associated with medical devices. As such, if stakeholders receive a request for information related to their cybersecurity infrastructure, swift and strategic responses will be critical.