FDA warns of cybersecurity vulnerability in Illumina’s Universal Copy Service Software, possible risks to patients

In a letter sent to healthcare providers and laboratory personnel on April 5, 2023, the FDA warned of a cybersecurity vulnerability in the Universal Copy Service (UCS) software used in several Illumina DNA-sequencing instruments, including MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000. The medical devices are used to sequence an individual’s DNA to check for a number of genetic conditions during clinical diagnoses and are also specified for research use only (RUO).

Though neither the FDA nor Illumina have not been alerted of any exploitations of the software to date, officials say that the vulnerability could allow an unauthorized user to

  • take control of an instrument remotely
  • adjust an instrument’s settings, configurations, software, and data on both the device and a patient’s network
  • compromise genomic data results meant for clinical diagnosis, and/or tamper with the instruments so they yield “no results, incorrect results, altered results, or a potential data breach.”

 

In response to the issue, Illumina advised affected customers to

  • read over the Urgent Medical Device Recall or Product Quality Notification (for RUO users) sent by the company on April 5, 2023.
  • inspect their instruments and devices for any indication of an exploitation.
  • download and install a software patch developed by Illumina to protect against any exploitation/cybersecurity risks.
  • email techsupport@illumina.com for alternatives to installing the software patch in the event that the user is not connected to the internet
  • email techsupport@illumina.com immediately if any signs of a cybersecurity compromise is observed.

Officials noted that a number of the various instruments listed above come with a “dual boot mode” which allows a user to toggle between clinical diagnostic mode or RUO mode. Users are reminded that RUO devices are usually still in a development phase, and though they may be used in some labs with tests for clinical diagnostic use, the instruments should be carefully labeled “For Research Use Only. Not for use in diagnostic procedures.”

At this time, the FDA continues to collaborate with Illumina and the CISA (Cybersecurity and Infrastructure Security Agency) to identify issues and develop mitigation strategies against any adverse events linked to the vulnerability. The CISA’s published advisory on the issue can be referenced here. Affected healthcare providers and laboratory personnel will be informed of any updates as more information is learned.

Users are encouraged to report any adverse events while using the device to the FDA’s MedWatch program.

 

Have you or a loved one suffered an adverse health event that can be traced to a compromised medical device? Your family may be owed significant compensation. Our compassionate attorneys at TruLaw are ready to learn about your story and help you fight for the best possible outcome. To get started, contact us online or take our Instant Case Evaluation ℠.