On July 31, 2025, the U.S. Department of Justice (DOJ) announced a $9.8 million settlement with a leading DNA sequencing technology company under the False Claims Act (FCA). While FCA cases in the life sciences industry are not new, this marks one of the first settlements centered on cybersecurity-related allegations - a sign of the DOJ’s expanding enforcement priorities.
Why This Case Matters to the Medical Device Industry
The DOJ’s focus in this case was not on whether a breach occurred, but on whether cybersecurity practices and representations were consistent with then-pervailing “state of the art” expectations - particularly for systems sold to government entities.This represents a shift in enforcement attention, extending FCA scrutiny into the realm of cybersecurity compliance.
- Cybersecurity “state of the art” is a compliance requirement — not just a best practice.
- Accuracy matters — claims about cybersecurity posture must be supported by documented and verifiable evidence.
- Proactive governance is essential — cross-functional collaboration between engineering, product security, quality, regulatory, and legal teams can help ensure alignment with evolving expectations.
Understanding “State of the Art”
Under Section 518(b) of the Federal Food, Drug, and Cosmetic Act, the FDA may require repair replacement, or refund (the “3R” authority) if a device:
- Represents an unreasonable risk of substantial harm to public health;
- Was not designed and manufactured in accordance with the then-prevailing state of the art; and
- Has risks not attributable to negligent installation, maintenance, or use by others.
In this case, the DOJ’s action highlights that cybersecurity is now viewed as part of the state of the art baseline for medical technologies - and manufacturers are expected to design, maintain, and update systems accordingly.
Key Takeaways for Manufacturers
- Treat cybersecurity as part of “state of the art”
Build security controls into your processes, design, testing, and postmarket activities in line with FDA and industry standards, leveraging the best practices and state of the art at the time of design, and reviewing on-market devices for risks associated with cybersecurity if it was not considered at the time of design. - Accuracy in representations
Any claims - whether in marketing materials, regulatory submissions, or customer communications - made to government customers, regulators, or in marketing must be supported with evidence. - Proactive governance
Cross-functional collaboration across engineering, product security, regulatory, quality, and legal teams ensures alignment with evolving expectations. Encourage internal reporting of security concerns and have defined processes for reviewing and addressing them. - Lifecycle vigilance
Maintain thorough records of cybersecurity measures, testing results, and corrective actions. Documentation can be as important as the measures themselves.
The Bigger Picture
FCA settlements have historically focused on billing, marketing, or regulatory compliance issues. This case shows that cybersecurity and claims pertaining to it are now part of that equation, and it’s likely we’ll see more enforcement actions that hinge on how well security is integrated into medical technology.
For manufacturers, this is an opportunity to strengthen both security and compliance programs - reducing risk while protecting patient safety and maintaining trust with customers and regulators.
Closing Thought:
At Medcrypt, we work with manufacturers across the product lifecycle to help ensure that cybersecurity is built in, tested, documented, and ready for regulatory review. Cases like this underscore the importance of that work - not just for security’s sake, but as a critical component of overall governance, risk and compliance management.
.png)
.png)
.png)
