“False” Sense of Security: DOJ Announces False Claims Act Settlements Related to Failure to Comply with Cybersecurity Requirements

On July 31, 2025, the United States Department of Justice (DOJ) announced a pair of settlements with companies accused of having violated the False Claims Act (FCA) by falsely representing their compliance with certain cybersecurity requirements applicable to federal contractors. These two settlements highlight key aspects of DOJ’s enforcement priorities: (1) DOJ’s strong focus on enforcing the FCA in the cybersecurity space, and (2) DOJ’s willingness to reward companies that self-disclose violations. All government contractors certifying compliance with regulatory and contractual requirements must stay vigilant and take the steps needed to comply. 

In one press release, DOJ announced a $9.8 million settlement with Illumina Inc., alleging that the company sold genomic sequencing systems with cybersecurity vulnerabilities to certain federal agencies and did not have an adequate product security program or sufficient systems to identify and address these vulnerabilities. This settlement arose out of a qui tam action filed by a former Illumina employee in the United States District Court of Rhode Island.[1] According to DOJ, between February 2016 and September 2023, Illumina knowingly failed to incorporate sufficient cybersecurity protections and falsely represented that its software adhered to cybersecurity standards, including standards of the International Organization for Standardization and National Institute of Standards and Technology. While Illumina denied these allegations, it agreed to pay $9.8 million, of which $4.3 million was restitution. The settlement thus seems to have involved a multiplier that exceeded the 2x multiplier that typically applies in FCA settlements.

In an additional press release, DOJ announced a $1.75 million settlement with defense contractor Aero Turbine Inc. (ATI) and private equity company Gallant Capital Partners LLC (Gallant), which has a controlling stake in ATI. There, DOJ alleged that ATI violated the FCA by knowingly failing to comply with cybersecurity requirements in its contract with the Department of the Air Force. The government further claimed that between January 2018 and February 2020, ATI failed to implement cybersecurity controls of its information system, which contained controlled unclassified information. ATI’s systems allegedly did not meet applicable cybersecurity standards, as required by the National Institute of Standards and Technology, which could have led to significant exploitation of the system or exfiltration of sensitive defense information. Notably, unlike Illumina, ATI and Gallant voluntarily self-disclosed this issue, as detailed by the settlement agreement. Among other measures, ATI submitted two written disclosures, identified individuals involved in or responsible for the situation, disclosed facts from its internal investigation, along with attribution to specific sources, and implemented remedial measures. DOJ apparently applied a lower multiplier of just over 1.5x, rather than the typical 2x multiplier, in exchange for the self-disclosure and cooperation. 

These settlements highlight the government’s potent use of the FCA to enforce cybersecurity compliance. In this evolving enforcement landscape, any company certifying cyber compliance to a federal or state government entity should continually review its cybersecurity systems and protections to ensure compliance. And companies that discover non-compliance implicating the FCA should strongly consider making a self-disclosure.

Subscribe To Viewpoints