Gene scanner pays $9.8 million to get feds off its back in security flap
(2025/07/31)
- Reference: 1753990207
- News link: https://www.theregister.co.uk/2025/07/31/7_years_of_back_debt/
- Source link:
Biotech firm Illumina has agreed to cut the US government a check for the eminently affordable amount of $9.8 million to resolve allegations that it has been selling the feds genetic testing systems riddled with security vulnerabilities the company knew about but never bothered to fix.
The Justice Department [1]announced the deal on Thursday, settling whistleblower allegations that the company had been selling knowingly-insecure DNA testing devices to the government for more than seven years. Over the course of that time, Illumina submitted countless invoices to government agencies requesting payment for devices it had claimed met cybersecurity standards but which didn't, and therein lies the crime: Illumina allegedly submitted false claims.
"Significant damage can result from a failure to adhere to required cybersecurity standards, especially when the systems involved include sensitive genomic data," Special Agent in Charge Roberto Coviello of the U.S. Department of Health and Human Services Office of Inspector General said in a release about the settlement.
[2]
According to the original [3]complaint [PDF], filed in 2023, Illumina systems themselves store confidential patient genetic test results, and the lack of compliance with security regulations by ignoring known issues means that data could have been compromised. However, there's no indication in the complaint of any data exfiltration.
[4]
[5]
Regardless, the DoJ alleged in 2023 that Illumina "completely disregarded [cybersecurity] requirements in its race to develop and maintain control of the global genetic testing market" by allowing a number of known issues to ship on production devices.
Don't go thinking that Illumina is some two-bit player, either. According to the complaint, the company already controls over 80 percent of the global genetic testing market, meaning chances are good that, if you've ever had genetic testing done at a hospital, your tests have been performed on an Illumina machine.
[6]
The complaint singles out several problems, including giving improper elevated privileges on user accounts, hardcoding user credentials stored on devices, and failing to mitigate insider threats. Two recalls mentioned in the complaint, one in 2022 and the other in April 2023, apparently involved the same software problem, which the DoJ noted continued to be unresolved at the time of its complaint in September 2023.
"Illumina products currently on the market continue to contain material cybersecurity vulnerabilities, which threaten the integrity of the testing data produced by the products and compromise patient confidentiality," the DoJ said in 2023. "This case is precisely the type of fraud scheme that the U.S. Department of Justice seeks to remedy under the False Claims Act through its Civil Cyber-Fraud Initiative."
Illumina naturally made no admission of guilt to the government's allegations, telling The Register that it agreed to settle the case "to avoid the uncertainty, expense and distraction of litigation," a common refrain in such situations. Illumina added that the allegations pertained to software issues that it had fixed between 2022 and 2024.
[7]
"Government agencies are important customers and Illumina values these relationships," a company spokesperson told us in an email. "Illumina takes data security seriously and has invested significantly in its programs to align with cybersecurity best practices for the development and deployment of our products. We are pleased to put this matter behind us."
[8]HP settles fake discount lawsuit for just $4M. Don't expect much of a payout
[9]US defense contractor cops to sloppy security, settles after infosec lead blows whistle
[10]IT consultancy settles US battle over alleged $14.75M government contract fraud
[11]FTC accuses DNA testing company of lying about dumping samples
Not one to question their commitment to being security forward, we still feel the need to address another cybersecurity issue the company had that wasn't mentioned in the lawsuit.
We [12]reported in January that Illumina iSeq 100 DNA sequencing machines had shipped with a six-year old BIOS that was vulnerable to malware, ransomware, and being bricked. The devices came with Secure Boot disabled and had nothing in the way of firmware protections, allowing anyone to modify their underlying code without detection. Illumina told us in January that it had established an oversight and accountability process to prevent such things from happening again.
The payment shouldn't make much of a dent in Illumina's business. According to the complaint, Illumina's many government contracts for hardware, software, and service have earned it "at least hundreds of millions of dollars" over the years. The company, which is due to report earnings after the bell Thursday, [13]netted $131 million in the first quarter of 2025. ®
Get our [14]Tech Resources
[1] https://www.justice.gov/opa/pr/illumina-inc-pay-98m-resolve-false-claims-act-allegations-arising-cybersecurity
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIvneNJAbqbT_UXxyh4seAAAAJc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://regmedia.co.uk/2025/07/31/illumina-complaint.pdf
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIvneNJAbqbT_UXxyh4seAAAAJc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIvneNJAbqbT_UXxyh4seAAAAJc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIvneNJAbqbT_UXxyh4seAAAAJc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIvneNJAbqbT_UXxyh4seAAAAJc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/04/19/hp_deceptive_pricing_lawsuit/
[9] https://www.theregister.com/2025/03/26/us_defense_contractor/
[10] https://www.theregister.com/2025/07/15/us_puts_it_consultancy_to/
[11] https://www.theregister.com/2023/06/21/dna_testing_company_ftc_complaint/
[12] https://www.theregister.com/2025/01/08/dna_sequencer_vulnerabilities/
[13] https://investor.illumina.com/financials/default.aspx
[14] https://whitepapers.theregister.com/
The Justice Department [1]announced the deal on Thursday, settling whistleblower allegations that the company had been selling knowingly-insecure DNA testing devices to the government for more than seven years. Over the course of that time, Illumina submitted countless invoices to government agencies requesting payment for devices it had claimed met cybersecurity standards but which didn't, and therein lies the crime: Illumina allegedly submitted false claims.
"Significant damage can result from a failure to adhere to required cybersecurity standards, especially when the systems involved include sensitive genomic data," Special Agent in Charge Roberto Coviello of the U.S. Department of Health and Human Services Office of Inspector General said in a release about the settlement.
[2]
According to the original [3]complaint [PDF], filed in 2023, Illumina systems themselves store confidential patient genetic test results, and the lack of compliance with security regulations by ignoring known issues means that data could have been compromised. However, there's no indication in the complaint of any data exfiltration.
[4]
[5]
Regardless, the DoJ alleged in 2023 that Illumina "completely disregarded [cybersecurity] requirements in its race to develop and maintain control of the global genetic testing market" by allowing a number of known issues to ship on production devices.
Don't go thinking that Illumina is some two-bit player, either. According to the complaint, the company already controls over 80 percent of the global genetic testing market, meaning chances are good that, if you've ever had genetic testing done at a hospital, your tests have been performed on an Illumina machine.
[6]
The complaint singles out several problems, including giving improper elevated privileges on user accounts, hardcoding user credentials stored on devices, and failing to mitigate insider threats. Two recalls mentioned in the complaint, one in 2022 and the other in April 2023, apparently involved the same software problem, which the DoJ noted continued to be unresolved at the time of its complaint in September 2023.
"Illumina products currently on the market continue to contain material cybersecurity vulnerabilities, which threaten the integrity of the testing data produced by the products and compromise patient confidentiality," the DoJ said in 2023. "This case is precisely the type of fraud scheme that the U.S. Department of Justice seeks to remedy under the False Claims Act through its Civil Cyber-Fraud Initiative."
Illumina naturally made no admission of guilt to the government's allegations, telling The Register that it agreed to settle the case "to avoid the uncertainty, expense and distraction of litigation," a common refrain in such situations. Illumina added that the allegations pertained to software issues that it had fixed between 2022 and 2024.
[7]
"Government agencies are important customers and Illumina values these relationships," a company spokesperson told us in an email. "Illumina takes data security seriously and has invested significantly in its programs to align with cybersecurity best practices for the development and deployment of our products. We are pleased to put this matter behind us."
[8]HP settles fake discount lawsuit for just $4M. Don't expect much of a payout
[9]US defense contractor cops to sloppy security, settles after infosec lead blows whistle
[10]IT consultancy settles US battle over alleged $14.75M government contract fraud
[11]FTC accuses DNA testing company of lying about dumping samples
Not one to question their commitment to being security forward, we still feel the need to address another cybersecurity issue the company had that wasn't mentioned in the lawsuit.
We [12]reported in January that Illumina iSeq 100 DNA sequencing machines had shipped with a six-year old BIOS that was vulnerable to malware, ransomware, and being bricked. The devices came with Secure Boot disabled and had nothing in the way of firmware protections, allowing anyone to modify their underlying code without detection. Illumina told us in January that it had established an oversight and accountability process to prevent such things from happening again.
The payment shouldn't make much of a dent in Illumina's business. According to the complaint, Illumina's many government contracts for hardware, software, and service have earned it "at least hundreds of millions of dollars" over the years. The company, which is due to report earnings after the bell Thursday, [13]netted $131 million in the first quarter of 2025. ®
Get our [14]Tech Resources
[1] https://www.justice.gov/opa/pr/illumina-inc-pay-98m-resolve-false-claims-act-allegations-arising-cybersecurity
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIvneNJAbqbT_UXxyh4seAAAAJc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://regmedia.co.uk/2025/07/31/illumina-complaint.pdf
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIvneNJAbqbT_UXxyh4seAAAAJc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIvneNJAbqbT_UXxyh4seAAAAJc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIvneNJAbqbT_UXxyh4seAAAAJc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIvneNJAbqbT_UXxyh4seAAAAJc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/04/19/hp_deceptive_pricing_lawsuit/
[9] https://www.theregister.com/2025/03/26/us_defense_contractor/
[10] https://www.theregister.com/2025/07/15/us_puts_it_consultancy_to/
[11] https://www.theregister.com/2023/06/21/dna_testing_company_ftc_complaint/
[12] https://www.theregister.com/2025/01/08/dna_sequencer_vulnerabilities/
[13] https://investor.illumina.com/financials/default.aspx
[14] https://whitepapers.theregister.com/
Re: Ho-Hum here we go again ... again !!!
eswan
aka "legal for a fee"
Ho-Hum here we go again ... again !!!
I love American 'Law' and its sometimes friend & ally 'Justice' ...
ANY legal issue can be resolved, usually after the fact, IF you throw enough money at it !!!
Either the Lawyers can make the 'issue' run for so long that whoever runs out of money first loses.
OR
The legal system itself 'accepts' a 'contribution to funds' that is accepted as an easier/simpler/quicker conclusion than fighting a case in the courts 'ad infinitum'.
Both options mean that you get a 'Get Out of Jail Free Card' and select one of: admit to NO guilt or, 'in extremis', accept guilt of a 'lesser charge'.
Poorer entities tend to get fewer options and/or less favourable choices !!!
:)