Insights

On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts.  The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information.  The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.

On July 31, 2025, the Department of Justice (DOJ) announced that Illumina, Inc. will pay $9.8 million to resolve allegations that it violated the False Claims Act (FCA) by selling genomic sequencing systems with software containing cybersecurity vulnerabilities to federal agencies. This is the first FCA settlement involving claims that a medical manufacturer failed to incorporate adequate product cybersecurity into its software design and development.The allegations were first made in United States ex rel. Lenore v. Illumina Inc., No. 1:23-cv-00372 (D.R.I.), a qui tam action filed by Illumina’s former Director for Platform Management, On-Market Portfolio in September 2023. The relator alleged that, between February 2016 and September 2023, Illumina knowingly sold genomic sequencing systems to government agencies without adequate security programs or quality systems to identify and address software vulnerabilities. The complaint further alleged that Illumina failed to properly resource personnel and processes responsible for product security, did not remediate design features introducing cybersecurity risks, and misrepresented the software’s adherence to required cybersecurity standards.According to the government, Illumina’s actions included:

On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities:  the DOJ’s Civil Cyber-Fraud Initiative and pandemic-related fraud.  This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).

Click below to listen or access from one of these links: PodBean | SoundCloud | Apple Podcasts