The Department of Justice (DOJ) recently obtained several cybersecurity-related False Claims Act (FCA) settlements totaling more than $50 million dollars. Collectively, these settlements reflect a clear message: Cybersecurity is an enforcement priority for the second Trump administration, and any organization that contracts with the federal government is a potential target.

Background

On June 6, 2025, President Trump signed Executive Order 14306 titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.” The executive order itself contains a series of amendments, as well as some directives aimed at strengthening the nation’s cybersecurity and blunting the efforts of “[f]oreign nations and criminals” from conducting cyber campaigns against the United States (EO No. 14306, 90 Fed. Reg. 24723 (June 5, 2025)). The accompanying fact sheet provides additional highlights and reemphasizes the administration’s focus on cybersecurity.

While that focus on cybersecurity may be new, the administration has turned to an old and reliable tool to advance this enforcement priority — the FCA.

Settlements

In the past nine months, the DOJ has achieved settlements in several cybersecurity cases under the FCA covering a range of conduct and industries. Among others, they include:

• Health Net Federal Services, LLC, and Centene Corporation

On February 18, 2025, the DOJ announced that Health Net Federal Services LLC (HNFS) and parent company Centene Corporation settled with the government for $11 million for allegations that HNFS, who contracted with the Department of Defense, falsely certified compliance with cybersecurity requirements. The covered conduct occurred between 2015 and 2018. Centene Corporation acquired HNFS in 2016.

• Aero Turbine Inc/ Gallant Capital Partners LLC

On July 31, 2025, the DOJ announced that aerospace company Aero Turbine Inc. and the private equity firm Gallant Capital Partners LLC reached a $1.75 million settlement with the government for failing to comply with the cybersecurity requirements in the contract between Aero Turbine and the Department of the Air Force. The government also alleged that the companies failed to control the flow of information to unauthorized foreign personnel. Both companies received credit for their disclosure and cooperation under §4-4.112 of the Justice Manual, which describes the factors to be considered, and the credit given, for entities or individuals who voluntarily self-disclose conduct that could give rise to FCA liability.

• Illumina, Inc.

On July 31, 2025, the DOJ announced it had reached a $9.8 million settlement with Illumina, Inc., to resolve allegations that the biotech company sold a defunct and vulnerable cybersecurity genomic sequencing system to the government.

• Georgia Tech Research Corporation

On September 30, 2025, the DOJ announced that the Georgia Tech Research Corporation, a nonprofit government contractor, agreed to settle FCA allegations for $875,000. The government alleged that the nonprofit failed to meet cybersecurity requirements set forth in its contracts with government agencies.

Assistant Attorney General Brett A. Shumate with DOJ’s Civil Division stated, “Together with DoD and other agency partners, the Department of Justice will continue to pursue and litigate violations of cybersecurity requirements to hold contractors accountable when they violate their cybersecurity commitments.” These comments forecast the Trump administration’s continued reliance on the time-tested False Claims Act to deal with its new cybersecurity enforcement priority.

Takeaways

There are several notable takeaways from these settlements:

• A cybersecurity breach is not required to trigger liability under the FCA.
• Companies acquiring government contractors may assume FCA liability.
• FCA cybersecurity investigations are not industry specific. While defense contractors remain a key focus, such investigations can affect any company, regardless of industry.
• As in other areas, DOJ has scrutinized private equity holdings in the wake of a cybersecurity incident. Private equity companies face FCA risk for portfolio company actions.
• When faced with a cybersecurity incident or a suspected breach, companies should engage experienced counsel promptly to investigate. Among other steps, companies and their counsel should consider the benefits of self-disclosure under DOJ policies.