Cybersecurity-Related Enforcement Under the False Claims Act in 2025: New Settlements, Same Lessons — EnforceMintz

In 2025, Department of Justice (DOJ)’s Civil Cyber-Fraud Initiative drove major False Claims Act (FCA) settlements involving defense contractors, research institutions, and health care companies—highlighting the need for strict compliance with NIST, DFARS, and FedRAMP requirements, as well as proactive self-disclosure and due diligence.

KEY POINTS:

• Cybersecurity enforcement remains a priority. DOJ’s Civil Cyber-Fraud Initiative continues to drive FCA enforcement actions, with 2025 seeing multiple settlements primarily involving defense contractors and one significant health care case — signaling that cybersecurity compliance remains a focus for companies doing business with the government.
• Self-disclosure and cooperation reduce penalties. Companies that voluntarily disclose cybersecurity failures and cooperate with investigations receive substantial benefits, such as reduced damages multipliers.
• Successor liability and investor risk are real. DOJ may impose liability on successor entities for predecessors’ cybersecurity failures. Private equity firms and acquirers should conduct thorough due diligence and consider self-disclosure if noncompliance is discovered post-acquisition.
• Criminal exposure and heightened penalties are emerging. DOJ may impose harsher penalties for egregious violations, including multipliers exceeding the typical FCA standard.

This article is part of EnforceMintz: Healthcare Enforcement Trends in 2025 & 2026 Outlook, a series exploring key developments and practical strategies for health care organizations navigating enforcement risks. Read more articles from EnforceMintz to stay current on enforcement trends and compliance strategies.

While the Trump administration announced many new FCA enforcement priorities in 2025, one enforcement area from recent years — noncompliance with applicable cybersecurity laws and regulations — remained active. The DOJ launched its Civil Cyber-Fraud Initiative in October 2021 and reported its first settlement in 2022, so this initiative is still in its infancy. In 2023 and 2024, cybersecurity FCA enforcement efforts focused on entities providing technology-related services to state and federal agencies, as well as some defense contractors. In 2025, cybersecurity FCA enforcement largely focused on defense contractors, with one notable health care–related settlement involving a biotechnology company in the genetic testing industry.

These cybersecurity-related FCA resolutions serve as a reminder to all companies doing business with the government — including health care entities — that many tried-and-true tools remain key to managing enforcement risk and liability: auditing and monitoring of compliance with applicable requirements, promptly responding to reported concerns or observations of noncompliance, conducting thorough due diligence when acquiring new businesses, and promptly self-disclosing discovered failures.

Cybersecurity Enforcement Remained Largely Focused on Defense Contractors in 2025, with One Notable Health Care Settlement

As reported in a previous post, DOJ announced in March 2025 an FCA settlement with MORSE Corp, a Massachusetts company with Department of Defense (DOD) contracts. The company agreed to pay $4.6 million to settle the government’s claims, which arose out of a qui tam complaint, alleging failures to implement National Institute of Standards and Technology (NIST SP) 800-171 cybersecurity controls, to comply with a Defense Federal Acquisition Regulation Supplement (DFARS) requirement, to implement written plans required by the government’s Federal Risk and Authorization Management Program (FedRAMP), and to ensure that subcontractors met similar requirements.

In October 2025, DOJ announced an $875,000 settlement with Georgia Tech Research Corporation alleging that it failed to meet cybersecurity requirements by failing to implement anti-virus and anti-malware tools as required by NIST SP 800-171, failing to timely implement a System Security Plan as required by DFARS 7012, and submitting a false, inflated DFARS 7019 / 7020 assessment score to DOD. Generally speaking, entities handling covered defense information under a DOD contract must comply with DOD’s cybersecurity requirements. But those rules arguably do not apply where the research institution contracts to perform “fundamental research,” which is academic research that is defined as out of scope of DOD’s cybersecurity regulations. The “fundamental research” exception could be relevant for health care institutions like academic medical centers. Georgia Tech raised this exception in a motion to dismiss it filed after the government intervened and the case was unsealed, arguing that DOD’s cybersecurity regulations did not apply because the research entity contracted to perform “fundamental research.” While it would have been instructive for health care clients to see how the court handled this argument, the case settled while the motion to dismiss was pending and the District Court never addressed the question of whether and how DOD cybersecurity regulations apply to contracting entities performing fundamental research.

Potentially the most notable cybersecurity FCA settlement from 2025 for health care companies involved a diagnostics company that develops DNA sequencing and array-based life sciences technologies used for the performance of genetic testing and other purposes. According to the press release, the settlement resolved allegations that the company sold numerous models of sequencers (which can be used to sequence human DNA and RNA, for example) with software cybersecurity vulnerabilities, inadequate product security programs, and insufficient systems to identify and address these vulnerabilities. The sequencers were sold across the United States, including to various federal agencies, and the alleged vulnerabilities left genetic information analyzed by the software susceptible to unauthorized use or disclosure. DOJ further alleged that the company knowingly failed during a seven-year period to implement sufficient cybersecurity protections and falsely represented that its software complied with standards set by the International Organization for Standardization (ISO) and NIST. While the company denied the allegations, it agreed to pay $9.8 million, including $4.3 million in restitution. Notably, the settlement appears to have involved a multiplier that exceeded the typical 2x FCA damages multiplier, potentially signaling that DOJ viewed the cybersecurity-related failures in this case as particularly egregious.

Cybersecurity-Related Resolutions from 2025 Offer Important Reminders About Best Practices

DOJ Continues to Encourage and Reward Self-Disclosure

In July 2025, DOJ announced a $1.75 million settlement with defense contractor Aero Turbine Inc. (ATI) and private equity firm Gallant Capital Partners (Gallant), which holds a controlling interest in ATI. Two aspects of this resolution are notable.

First, Gallant was included as a party to the settlement. As evidenced by the settlement agreement, the government viewed both ATI and Gallant as bearing responsibility for various cybersecurity-related failures and the government alleged a Gallant employee was directly engaged in some of the misconduct. This resolution serves as a reminder to private equity investors about the risks of getting involved in portfolio companies’ day-to-day business activities.

Second, the settlement arose from a voluntary self-disclosure in which both ATI and Gallant cooperated extensively with the government. The settlement agreement details ATI and Gallant’s cooperation, including that (1) ATI submitted two written disclosures to the government; (2) ATI and Gallant cooperated in the investigation by identifying individuals involved in or responsible for the issues, disclosed facts gathered during the independent investigation, and attributed the facts to specific sources; and (3) ATI promptly remediated the identified issues. Under the settlement agreement, ATI and Gallant received cooperation credit, which apparently took the form of an approximate 1.5x damages multiplier, well under the typical 2x FCA multiplier, emphasizing the benefits of proactive disclosure and cooperation.

DOJ May Seek to Impose Successor Liability for Predecessors’ Cybersecurity Failures

In May 2025, DOJ announced an $8.5 million settlement with Raytheon Company (Raytheon), RTX Corporation, Nightwing Group LLC, and Nightwing Intelligence Solutions LLC (collectively Nightwing). DOJ alleged that from August 2015 through June 2021 Raytheon failed to implement a System Security Plan compliant with NIST SP 800-171 and Federal Acquisition Regulation Section 52.204-21. This settlement was significant because it named Nightwing as a “successor in liability” in the claims against Raytheon, even though Nightwing did not acquire Raytheon’s cybersecurity business until three years after the relevant time period. This resolution highlights the importance of conducting thorough diligence and of promptly making a self-disclosure if noncompliance is discovered post-acquisition.

Criminal Enforcement Is a Potential Consequence for Cybersecurity-Related Misconduct

Cybersecurity enforcement from the past year also involved exposure to potential individual criminal liability. In December 2025, a grand jury in the District of Columbia returned an indictment charging a former senior manager of a government contractor with “major government fraud, wire fraud, and obstructing federal audits for allegedly carrying out a multi-year scheme to mislead federal agencies about the security of a cloud-based platform used by the U.S. Army and other government customers.” The indictment alleges that the manager obstructed federal auditors, falsely represented that the contractor’s cloud platform implemented required security controls, and concealed the platform’s noncompliance with FedRAMP security controls.

Cybersecurity Enforcement in 2025 Teaches that Long-Standing Best Practices Remain Important

Cybersecurity enforcement in 2025 is likely a harbinger for enforcement in 2026. We expect these resolutions will continue and potentially increase, including in the health care industry. One key takeaway for health care (and other) companies is that traditional best practices for avoiding and mitigating FCA liability remain critical. For example, DOJ rewards companies that make prompt self-disclosures and cooperate in investigations. Thorough due diligence in transactions remains important, especially in transactions where investors could unknowingly assume FCA liability. Finally, private equity investors should continue to be mindful of possible FCA exposure when they invest in and manage portfolio businesses. Companies contracting with the government should keep these lessons in mind, especially as AI technology becomes more prevalent and creates new challenges and risks for cybersecurity enforcement.

Get early access to Part 2 of EnforceMintz

The next edition of EnforceMintz — our annual False Claims Act Statistical Year In Review — will analyze trends in FCA cases using data from DOJ’s recently released annual report on FCA settlements and judgments.

Notify Me About Part 2

Subscribe To Viewpoints