Introduction
The Department of Justice (DOJ) has launched a nationwide effort to use the False Claims Act (FCA) to enforce federal cybersecurity requirements. Through its Civil Cyber-Fraud Initiative, DOJ is targeting contractors and grant recipients that misstate their cybersecurity compliance or fail to correct known vulnerabilities even when no breach occurs.
Recent settlements confirm this enforcement priority. Healthcare, life sciences, and defense contractors have paid millions to resolve allegations that they falsely certified compliance with required cybersecurity safeguards. The message is clear: for entities doing business with the federal government, cybersecurity is no longer just a technical matter, it is a legal one.
Under the FCA, companies that knowingly submit false information to obtain government payment can face substantial penalties, and insiders who expose such misconduct may share in any recovery. DOJ’s recent actions demonstrate that incomplete or unsupported cybersecurity certifications can carry the same consequences as any other false claim.
Cybersecurity Obligations in Federal Health Plan Contracts
In 2025, Health Net Federal Services and Centene Corporation, two managed-care contractors that administer military health benefits under the TRICARE program, agreed to pay more than $11 million to resolve allegations that they falsely certified compliance with cybersecurity requirements in their contracts with the Defense Health Agency.
Those obligations stemmed from the companies’ federal procurement agreements incorporating cybersecurity standards drawn from Department of Defense regulations. Each company documented its approach to meeting those standards in detailed system security plans, that became part of its contractual commitments. DOJ alleged that the companies failed to carry out key safeguards identified in those plans—such as periodic vulnerability scanning, prompt patching of known weaknesses, and continuous monitoring of networked systems—and that their annual certifications of compliance therefore misrepresented their true security posture.
A self-disclosure rather than a whistleblower complaint earned the companies limited cooperation credit but did not eliminate liability. By treating the undisputed lapses as material to payment, DOJ signaled that cybersecurity compliance is not a peripheral contract term but a condition of ongoing eligibility to administer federal health programs.
For other healthcare entities, the lesson is straightforward. Whether operating hospitals, health plans, or telehealth platforms, contractors handling patient or claims data for Medicare, Medicaid, or TRICARE must maintain verifiable security controls and timely remediation procedures. As remote care and data exchange expand, the risk of noncompliance—and with it, FCA exposure—increases. Cybersecurity documentation and monitoring now function as compliance records just like billing or utilization reports.
Product Security and Compliance in Life Sciences
The life sciences sector presents a different route to the same risk. Companies that develop or sell products to federal agencies increasingly must demonstrate that their software and connected devices meet recognized cybersecurity standards. When those assurances prove inaccurate, DOJ has treated them as false claims.
Illumina, Inc., a manufacturer of genetic-sequencing instruments and software, agreed in 2025 to pay approximately $9.8 million to resolve allegations that it sold products to government customers while failing to meet the cybersecurity obligations in its federal contracts. Contract terms required Illumina to design and maintain its products under established federal cybersecurity frameworks, but DOJ alleged the company had not implemented adequate security controls across the design, testing, and post-market phases of the product lifecycle. Investigators alleged that the company’s security reviews were incomplete and that known vulnerabilities went unremediated before products were sold to government agencies.
The case began as a whistleblower suit brought by a former Illumina director who claimed the company ignored internal warnings about cybersecurity deficiencies. DOJ intervened, and the relator received a share of the settlement proceeds. Notably, there was no allegation of an actual data breach—only that Illumina’s representations of compliance were inaccurate. DOJ’s treatment of those misstatements as materially false reinforced the principle that cybersecurity, like quality and safety, is an integral part of product compliance.
For medical-device and digital-health manufacturers, the lesson is that cybersecurity is now inseparable from product design and regulatory compliance. Federal purchasers and regulators expect demonstrable, documented security measures throughout a product’s development and maintenance. This will likely become increasingly true as artificial intelligence becomes embedded in diagnostic and clinical-decision tools, where data integrity and algorithmic transparency will be treated as elements of cybersecurity. Misrepresenting the strength or completeness of those protections—whether in a proposal, certification, or post-market report—can expose the company to FCA liability.
Cybersecurity in Defense Contracting
The defense sector provided the first judicial test of DOJ’s cybersecurity enforcement strategy. Aerojet Rocketdyne, a major aerospace and defense contractor, certified in its contracts that it complied with Department of Defense cybersecurity clauses requiring protection of controlled unclassified information. According to DOJ, the company knew it had not implemented many of the required controls but continued to assure the government that its systems met contractual standards. The obligations were contractual, derived from defense procurement terms incorporating federal cybersecurity standards.
The case was filed by Aerojet’s former cybersecurity executive, who alleged that company leadership ignored his warnings and submitted certifications they knew were incomplete. In 2019, the U.S. District Court for the Eastern District of California denied Aerojet’s motion to dismiss, holding that false or misleading statements about cybersecurity compliance could be material under the FCA even without a data breach. That ruling marked the first judicial recognition that cybersecurity commitments in federal contracts are enforceable under the FCA.
Following discovery, Aerojet settled for $9 million without admitting wrongdoing; the whistleblower received a share. The outcome confirmed that cybersecurity requirements in defense contracts are not aspirational but material performance terms. For contractors handling government data, incomplete or unsupported attestations of compliance can expose the company to the same penalties as false statements about cost or quality.
Taken together, these cases illustrate a coherent enforcement pattern. Whether the contractor processes health data, sells medical devices, or supplies defense systems, DOJ’s approach is the same: cybersecurity representations are treated as material commitments. Each case reinforces that an actual breach is not required, and that both whistleblowers and self-disclosing companies can shape outcomes through their cooperation or lack of it.
Practical Takeaways
Across all three sectors, DOJ’s message is consistent: cybersecurity promises to the government must be accurate, documented, and verifiable. Liability arises from false or unsupported certifications even in the absence of a security breach.
For contractors, the practical steps are clear:
- Treat cybersecurity obligations as contractual performance terms, not technical aspirations.
- Maintain auditable security plans and supporting evidence.
- Implement systems that detect and remediate vulnerabilities before they become FCA issues.
- Disclose deficiencies promptly and cooperate with government inquiries.
For potential whistleblowers, the same pattern offers both opportunity and protection. Employees who become aware of knowing violations—whether through direct participation or internal review—may pursue FCA claims and share in the government’s monetary recovery. Recent cases confirm that technical staff and compliance professionals are often the first to detect discrepancies that later form the basis for enforcement.
Conclusion
The Department of Justice has made cybersecurity a new front in False Claims Act enforcement, holding contractors to the same standards of accuracy and documentation that govern other compliance obligations. For contractors, that means every certification of compliance must be accurate and supportable; for employees, it means that credible knowledge of knowing violations can trigger both protection and reward.
Frier Levitt provides strategic, industry-focused legal counsel tailored to your needs. Contact our team today to learn how we can help you.
