The world’s leading manufacturer of DNA sequencing systems will pay $9.8 million to resolve allegations that it knowingly sold products with security vulnerabilities to federal agencies, Rhode Island’s Acting U.S. Attorney Sara Miron Bloom announced Thursday.
The settlement avoids a lengthy court battle for biotech manufacturer Illumina by ending a 2023 suit filed in U.S. District Court for the District of Rhode Island by whistleblower Erica Lenore, a former platform management director at the San Diego company who raised concerns about product security and was eventually let go.
The $9.8 million settlement allocates $1.9 million to Lenore for initiating the suit and cooperating with federal agencies. Another $4.3 million is specifically labeled as restitution for the government. The company also needs to pay 4.33% interest on the settlement money, backdated to March 2025.
The settlement text does not specify how the remaining funds are broken down. The court case, which has now been dismissed and unsealed, rested upon the False Claims Act, which allows for the prosecution of people and companies who knowingly defraud the government. False Claims settlements typically include money for other penalties or court fees.
The settlement resolves the government’s civil allegations, and the government has not filed any criminal charges against Illumina, although the settlement allows for future legal action. A separate agreement settles Lenore’s personal civil claims.
According to the 2023 court filing, Rhode Island’s federal court was eligible for jurisdiction over the case because of a research initiative at the University of Rhode Island — the Rhode Island IDeA Network of Biomedical Research Excellence — that is funded in part by National Institutes of Health grants and used Illumina equipment.
The lawsuit says that university researchers used the company’s MiSeq line, which was recalled in 2023 over cybersecurity concerns.
Thursday’s settlement was obtained through a joint effort by the U.S. Attorney’s Office for the District of Rhode Island and the Justice Department’s Civil Division, Commercial Litigation Branch and Fraud Section, with additional assistance from other federal investigators.
Among the federal agencies that purchased and used vulnerable Illumina products from 2016 to 2023 were the Departments of Justice, Health and Human Services, the Interior, Energy, Commerce and Veterans Affairs, as well as the Smithsonian, the National Aeronautics and Space Administration (NASA), and the Army, Navy, and Air Force.
Since 2001, Illumina has received $530 million in direct federal funding, with $43 million in 2022 alone, according to court documents. It also receives pass-through money via Medicare reimbursements, as clinical labs use Illumina systems for genetic testing.
The security issues in Illumina’s products “allowed thousands of Illumina insiders and everyday users of its products the ability to access and manipulate HIPAA-protected patient genomic data, including test results and to do so without detection,” the suit argued.
Christine Douglass, a spokesperson for Illumina, shared a statement via email Thursday that denied the allegations. The company settled, Douglass wrote, to forego “the uncertainty, expense, and distraction of litigation.” As part of the settlement, it did not admit any wrongdoing.
“Government agencies, including the U.S. Food and Drug Administration (FDA), are important customers and Illumina values these relationships,” Douglass said. “Illumina takes data security seriously and has invested significantly in its programs to align with cybersecurity best practices for the development and deployment of our products. We are pleased to put this matter behind us.”
Douglass said that Illumina “successfully remediated” security issues for its customers from 2022 to 2024.
What the lawsuit says
The 72-page lawsuit explains that Illumina is the only servicer for its products, like the MiniSeq and NextSeq, both of which are named in the suit. Because Illumina is the only servicer for its products across their lifecycle, the company needs to contract with government agencies to provide maintenance as needed.
The lawsuit alleged these government contracts were violated when it was discovered that Illumina had been selling products with unaddressed security holes, such as human-readable passwords coded into software.
“Illumina improperly hard-coded credentials used to access confidential patient genomic data stored in the cloud, allowing everyday users to see the login information in plain text,” the lawsuit alleged.
Another vulnerability involved software that was too liberal with elevated privileges for user accounts. That meant that “thousands of everyday users,” could exert considerable control over Illumina systems.
“Illumina has improperly allowed elevated privileges to users running genetic tests on Illumina products that are connected to an open network,” the suit reads. “These users include everyone — research assistants, third-party vendors, laboratory technicians, scientists, clinical investigators, engineers, and research and development staff — individuals who have no need for access to confidential and HIPAA-protected patient data including genomic test results.”
Federal prosecutors strengthened their case for False Claims Act liability with several eyebrow-raising examples that the company was verifying compliance with government standards while knowing otherwise. In 2022, Illumina initiated a product recall only after its customer, the pharmaceutical giant Roche, informed it of a vulnerability in its sequencing software. Roche routinely tests software and hardware it uses for security flaws, but according to prosecutors, Illumina had not performed its own testing on the product in question.
The lawsuit says that, in another instance, an internal Illumina report noted that a product it was about to launch could most likely be hacked by “a disgruntled ex- or current staff member, with access to the [local] network.” Illumina launched the product three days later and did not disclose the security concerns to the feds.
Lumina did recall products multiple times, but the court complaint calls some of these efforts a “half-truth,” as Illumina allowed different products with the same vulnerabilities to stay on the market.
The company, which made $4.372 billion last year, accounts for about 80% market share of the genomic sequencing industry. Their products are used in research, medicine, and commercial gene testing.
“Illumina’s cybersecurity failures have been driven by its singular goal to maintain its dominant market presence,” the complaint reads. “When faced with customer complaints related to the accessibility of data in its products, Illumina took fatal shortcuts.”
Whistleblower Lenore — described in the complaint as a “respected professional in the field of life sciences technologies and was hired by Illumina to oversee all of Illumina’s on-market products” — noticed some of these shortcuts during her time at the company, during which she balanced overlapping roles in product management.
Lenore became concerned about security issues that popped up and repeatedly brought her concerns to higher-ups, but was “ignored, reprimanded, marginalized, and retaliated against by Illumina.” Lenore ultimately lost her job in what the company called a “restructuring,” the lawsuit reads.
This story was originally published by the Rhode Island Current.
