FORENSIC LEGIBILITY EXAMINER
CASE 132|CONTROLLED ACCESS & AUTHORIZATION|SEND DATE TBD|DISPOSITION: ACCESS AUTHORIZATION CREDENTIAL SOLD TO FEDERAL AGENCIES AS CERTIFYING DEFINED PRIVILEGE BOUNDARIES; EVERYDAY USERS RECEIVED ADMINISTRATIVE-LEVEL ACCESS BY DEFAULT — THE PRIVILEGE BOUNDARY THE CREDENTIAL WAS REQUIRED TO REPRESENT WAS ABSENT FROM THE SYSTEM DESIGN FOR SEVEN YEARS ACROSS MULTIPLE FEDERAL AGENCY CUSTOMERS|ARCHIVE →

Access Authorization Credential Authority Failure Through Elevated Default Privileges Granted to Standard Users — Illumina Inc., 2016–2023

The access authorization credential certifies that system users can access only the data and functions permitted by their assigned privilege level. Illumina's genomic sequencing systems granted everyday users administrative-level privileges by default — described by the relator as analogous to granting every user super-administrator rights over a database containing confidential patient health information. The privilege boundary the credential was required to represent was not encoded in the system design. Thousands of standard users could access, manipulate, and alter HIPAA-protected patient data without detection. Illumina sold these systems to federal agencies including DOJ, HHS, DHS, NASA, and the VA from February 2016 through September 2023 while falsely representing that the software adhered to applicable cybersecurity standards. No data breach was required for FCA liability. The credential authorized access. The access boundary it was supposed to certify was not present.
Failure classification: Access Authorization Credential Sold to Federal Agencies as Certifying Defined Privilege Boundaries; Everyday Users Granted Administrative-Level Access by Default; Privilege Boundary Not Encoded in System Design; Hard-Coded Credentials Exposed; Insider Access Ungoverned — Three Concurrent Authorization Failures Across Seven Years of Federal Agency Sales
Credentialing entity:
Illumina Inc. — Delaware corporation, California-headquartered manufacturer of genomic sequencing systems; sold systems to federal agencies including DOJ, HHS, DHS, NASA, and the VA; first FCA settlement with a medical device manufacturer based on cybersecurity deficiencies in product design
Failure period:
February 2016 through September 2023 — seven years of federal agency sales with documented cybersecurity vulnerabilities in product design; qui tam filed September 2023 by former Illumina Director for Platform Management
Failure condition 1:
Elevated default privileges — everyday users granted administrative-level access to genomic sequencing systems by default; users could access and manipulate confidential patient health data, change product configurations, install unauthorized applications, grant third parties access, and disable firewalls without detection; privilege boundary not encoded in access credential
Failure condition 2:
Hard-coded credentials — usernames and passwords embedded in system software ("hard coded"), exposing user credentials and creating a fixed, non-rotatable access point not controlled by the authorized user; credential boundary structurally fixed in design
Failure condition 3:
Insider access ungoverned — system failed to mitigate the threat of company insiders inappropriately accessing data provided as part of the products; authorization boundary between Illumina personnel and customer patient data not encoded in the access credential
Settlement:
$9.8 million; July 31, 2025; $1.9 million to whistleblower relator; no data breach alleged or required for liability; government contended claims were false regardless of whether breaches occurred; Illumina denied allegations; settlement includes $4.3 million in restitution

Context

Genomic sequencing systems process, store, and transmit genetic and patient health information — among the most sensitive categories of personal data subject to federal protection. Federal agencies that purchase these systems rely on the access authorization credential embedded in the product design: the system certifies, through its privilege architecture, that users can access only what their assigned role permits. When an agency purchases a sequencing system for use in federal health programs, the access credential is the mechanism through which the agency establishes that patient data is protected at the point of use.

Illumina sold genomic sequencing systems to federal agencies from February 2016 through September 2023. During that period, the systems granted everyday users administrative-level privileges by default. The relator — a former Illumina Director for Platform Management — described this as analogous to granting every user super-administrator rights over a database. Standard users could access and manipulate confidential patient health data, alter product configurations, install unauthorized applications, grant third parties access to the system, and disable firewalls — without detection. The privilege boundary the access credential was required to represent was not present in the system design. Illumina represented to federal agency customers that the software adhered to applicable cybersecurity standards including ISO and NIST. The representation was false.

Trigger

A former Illumina Director for Platform Management filed a qui tam complaint in September 2023 alleging three concurrent cybersecurity failures: elevated default privileges, hard-coded credentials, and ungoverned insider access to customer data. DOJ investigated and settled on July 31, 2025 for $9.8 million — the first FCA settlement with a medical device manufacturer based on cybersecurity deficiencies in product design. The settlement established that no actual data breach was required for FCA liability. The false claims arose from the credential itself: Illumina represented its systems complied with cybersecurity standards while knowingly selling systems whose access authorization architecture did not enforce the privilege boundaries those standards required.

The seven-year duration of the failure — 2016 through 2023 — documents the gap between the credential representation and the access condition it was supposed to certify across the entire period of federal agency sales. The agencies that purchased and relied on these systems had no mechanism to evaluate whether the access authorization credential represented the privilege boundary it certified. The product was the credential. The credential certified a boundary. The boundary was absent from the design.

Failure Condition

The access authorization credential in a software system is its privilege architecture — the design that encodes which users can access which data and functions. When a system grants administrative privileges to everyday users by default, the credential certifies a boundary that is not present. Every user who logs in receives access that exceeds what the credential is supposed to authorize. The boundary is not enforced at the point of access. It is not evaluable from the credential. The relying party — the federal agency and the patients whose data the system processes — cannot determine from the credential whether the access boundary the system represents is the access boundary the system enforces.

The three failure conditions in this case are structurally distinct but trace to the same absent encoding condition. Elevated default privileges: the access credential does not enforce the privilege boundary at the point of user authentication. Hard-coded credentials: the access credential is fixed in the system design — the authorized user cannot rotate, revoke, or control it. Ungoverned insider access: the access credential does not encode the boundary between Illumina personnel and customer patient data — the credential authorizes access without representing who is excluded from it.

In all three conditions, the access authorization credential certified a boundary condition that was not present in the system at the point of reliance. Federal agencies purchased the systems. The credential represented compliance. The compliance condition the credential certified was not encoded in the design. Seven years. Multiple federal agency customers. No breach required to establish that the claims were false.

Observed Response

The $9.8 million settlement resolved the FCA allegations without an admission of liability. The DOJ characterized the settlement as underscoring the importance of cybersecurity in handling genetic information and DOJ's commitment to holding federal contractors accountable for cybersecurity risks. The case establishes that FCA liability for access authorization credential failures in product design extends to the full period of federal agency sales — seven years — regardless of whether any breach occurred during that period.

The settlement does not resolve the architectural condition. Federal agencies purchasing software products rely on access authorization credentials embedded in product design whose compliance with required standards is represented by the vendor. The relying party cannot evaluate whether the privilege boundary the credential certifies is the privilege boundary the system enforces without independent verification of the product's access architecture at the point of purchase and at every point of subsequent use.

Analytical Findings

  • The access authorization credential in Illumina's genomic sequencing systems certified compliance with cybersecurity standards requiring defined privilege boundaries; everyday users received administrative-level access by default — the equivalent of super-administrator rights over databases containing HIPAA-protected patient data; the privilege boundary the credential was required to represent was absent from the system design for seven years across multiple federal agency customers
  • Three concurrent failure conditions document the same structural gap from different access vectors: elevated default privileges (boundary not enforced at authentication), hard-coded credentials (access point fixed in design, non-rotatable, not controlled by authorized user), and ungoverned insider access (boundary between vendor personnel and customer data not encoded in credential)
  • Illumina represented to federal agency customers that the software adhered to applicable ISO and NIST cybersecurity standards; the representation was the access authorization credential; the access condition the credential certified was not present in the product design; federal agencies had no mechanism to evaluate whether the privilege boundary the credential represented was the privilege boundary the system enforced
  • No data breach was alleged or required for FCA liability; the government contended the claims were false regardless of whether breaches occurred; the false claim was in the credential — the representation of compliance with access authorization standards — not in any documented harm; the credential authorized seven years of federal agency purchases on a compliance condition that was not present
  • The seven-year failure period — 2016 through 2023 — documents the duration over which the access authorization credential certified a boundary condition absent from the product design; the gap between the credential representation and the access condition it was supposed to certify persisted across the entire period of federal agency sales without detection through normal agency oversight
  • An access authorization credential that encodes the privilege boundary in a form evaluable at the point of purchase and at the point of use — independently verifiable without relying on the vendor's representation of compliance — makes the access condition demonstrable before the credential authorizes agency purchase and patient data exposure; a system whose privilege architecture does not enforce the boundary the credential certifies fails at the point of credential generation
References
  1. 1. U.S. Department of Justice, Illumina Inc. to Pay $9.8M to Resolve False Claims Act Allegations Arising from Cybersecurity Vulnerabilities in Genomic Sequencing Systems; July 31, 2025; $1.9 million to whistleblower; first FCA settlement with medical device manufacturer for product cybersecurity deficiencies.
  2. 2. Qui tam complaint, United States ex rel. Lenore v. Illumina Inc., No. 1:23-cv-00372 (D.R.I.); filed September 2023 by former Director for Platform Management; three failure conditions: elevated default privileges, hard-coded credentials, ungoverned insider access.
  3. 3. Gibson Dunn, DOJ Ends July 2025 with Two Groundbreaking FCA Settlements in the Cybersecurity Space; elevated privileges described as "analogous to having super admin rights of a database"; users able to access and manipulate HIPAA-protected data, change configurations, install applications, grant third-party access, and disable firewalls without detection; August 2025.
  4. 4. Skadden, DOJ Settlement With Medical Technology Company Signals Expanding Cybersecurity FCA Risk for Life Sciences Companies; first FCA resolution with medical device manufacturer based on cybersecurity deficiencies; no breach required; claims false regardless of whether breaches occurred; August 2025.
  5. 5. Morgan Lewis, DOJ Announces First FCA Settlement with Medical Device Company for Cybersecurity Violations; three specific failures: elevated privileges for general users, hard-coded credentials, failure to mitigate insider access threat; August 2025.
  6. 6. Federal agency customers: DOJ, HHS, DHS, NASA, VA; systems sold February 2016 through September 2023; Illumina represented software adhered to ISO and NIST cybersecurity standards; representation false for seven-year period.