Illumina Cybersecurity Vulnerability Affecting the Universal Copy Service Software May Present Risks for Patient Results and Customer Networks: Letter to Health Care Providers

July 7, 2023  – The FDA determined Illumina’s actions are considered a Class II recall, a situation in which use of the device may cause serious adverse health consequences.  

April 27, 2023

The U.S. Food and Drug Administration (FDA) is informing health care providers and laboratory personnel about a cybersecurity vulnerability affecting the Universal Copy Service (UCS) software in the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 sequencing instruments. These instruments are medical devices that may be specified either for clinical diagnostic use in sequencing a person’s DNA for various genetic conditions or for research use only (RUO).

An unauthorized user could exploit the vulnerability by:

• taking control remotely;
• altering settings, configurations, software, or data on the instrument or a customer’s network; or
• impacting genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach.

At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited. 

llumina developed a software patch to protect against the exploitation of this vulnerability. The FDA wants health care providers and laboratory personnel to be aware of the required actions to mitigate these cybersecurity risks.

Recommendations

• Review the Urgent Medical Device Recall or Product Quality Notification (for RUO customers) that Illumina sent to affected customers on April 5, 2023. If you did not receive a notification from Illumina, but believe you should have, please contact techsupport@illumina.com.
• Immediately download and install the software patch for all affected instruments. 
• Contact techsupport@illumina.com for instructions about other ways to install the software patch if you are not connected to the internet.
• Immediately contact techsupport@illumina.com if you suspect your instrument may have been compromised by an unauthorized user.

For more information about Illumina’s cybersecurity vulnerability, see the Cybersecurity and Infrastructure Security Agency (CISA) published advisory, ICSMA-23-117-01 Illumina Universal Copy Service.

The FDA’s recommendations issued on June 2, 2022, for health care providers about addressing a separate Illumina cybersecurity vulnerability have not changed.

Background

On April 5, 2023, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability.

Some of these instruments have a dual boot mode that allows a user to operate them in either clinical diagnostic mode or RUO mode. Devices intended for RUO are typically in a development stage and must be labeled “For Research Use Only. Not for use in diagnostic procedures.” – though some laboratories may be using them with tests for clinical diagnostic use.

Illumina developed a software patch to protect against the exploitation of this vulnerability.

At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited.

FDA Actions

The FDA is working with Illumina and coordinating with the CISA to identify, communicate, and prevent adverse events related to this cybersecurity vulnerability. The FDA will continue to keep health care providers and laboratory personnel informed if new or additional information becomes available.

Reporting Problems to the FDA

The FDA encourages users to report any adverse events or suspected adverse events experienced with Illumina’s next generation sequencing instruments.

• Voluntary reports can be submitted through MedWatch, the FDA Safety Information and Adverse Event Reporting program.

• Device manufacturers and user facilities must comply with the applicable Medical Device Reporting (MDR) regulations.

• Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities.

Contact Information

If you have questions about this letter, contact the Division of Industry and Consumer Education (DICE).