By the third quarter of 2025, the Department of Justice (DOJ) has made plain that it will continue using the False Claims Act (FCA) to advance administration priorities.

While the focus on diversity, equity, and inclusion (DEI)—addressed in our August 8 post—continues to make headlines, DOJ is not taking its eye off cybersecurity. Two settlements announced in late July, totaling approximately $11.5 million, reinforce that noncompliance with cybersecurity obligations can trigger FCA exposure.

Illumina, Inc. Settlement ($9.8 Million)

On July 31, DOJ announced that biotech company Illumina, Inc. agreed to pay $9.8 million to resolve FCA allegations that it sold genomic sequencing systems to multiple federal agencies with software that had cybersecurity vulnerabilities and without adequate product security and quality systems to identify and remediate those vulnerabilities. Specifically, the government alleged that Illumina: (1) failed to incorporate product cybersecurity into software design, development, installation, and on-market monitoring; (2) under-resourced product security personnel, systems, and processes; (3) failed to correct design features that introduced vulnerabilities; and (4) falsely represented adherence to cybersecurity standards, including standards of the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST). 

Notably, the United States asserted in the settlement agreement that the claims for payment were false “regardless of whether any actual cybersecurity breaches occurred” because the software had various cybersecurity vulnerabilities and lacked security programs and quality systems to address vulnerabilities. The relator, a former Illumina director, will receive $1.9 million as her share of the settlement.

Aero Turbine, Inc. Settlement ($1.75 Million)

Also announced on July 31, defense contractor Aero Turbine Inc. and its private equity owner Gallant Capital Partners resolved allegations that the company failed to implement certain NIST controls under a U.S. Air Force contract and improperly provided a foreign software vendor in Egypt with files containing sensitive defense information. The defendants received cooperation credit under DOJ’s FCA guidelines (Justice Manual § 4-4.112) due to how they “provided the government with multiple written self-disclosures, cooperated with the government’s investigation of the issues, and took prompt remedial action.”

Significance of These Cases

• No breach is required. DOJ asserted in the Illumina settlement agreement that the claims to the agencies were false even absent an actual breach, reinforcing that cyber representations can be material to payment and form the basis for FCA liability. This is a powerful signal for contractors selling software-enabled products into federal environments, as representations about adherence to various standards (e.g., ISO, NIST) can become the backbone of an FCA theory if they are not fully supported across the product lifecycle.
• Private equity is not insulated. As part of the Aero Turbine resolution, DOJ settled with both the portfolio company and its private equity owner, reflecting DOJ’s continued willingness to reach controlling sponsors when they allegedly influence conduct impacting corporate compliance. Private equity sponsors should consider baking cyber diligence and oversight into portfolio governance.
• Cooperation credit is real. The Aero Turbine settlement agreement expressly memorializes the basis for cooperation credit under Justice Manual § 4-4.112, a practice DOJ has been moving toward in civil FCA matters. Early, thorough self-disclosure can materially affect outcomes, and having a ready-to run-playbook for self-disclosure and concrete remediation can significantly influence FCA liability.
• Potential whistleblowers are watching product security. The relator in Illumina (formerly a director overseeing the on-market portfolio at the company) received $1.9 million, underscoring whistleblower incentives around design, resourcing, and lifecycle security of software-enabled products used by government agencies.
• Companies should expect broader agency interest. Illumina’s settlement involved claims across numerous civilian and defense agencies, reminding vendors that cyber expectations are not confined to Department of Defense contracts.