NEW YORK – The US Food and Drug Administration on Thursday issued a letter warning clinical labs and healthcare providers about a cybersecurity vulnerability in certain Illumina sequencing instruments.
"At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited," the FDA said in the letter.
The vulnerability affects the local run manager software on NextSeq 550Dx, MiSeq Dx, NextSeq 550, MiSeq, iSeq, and MiniSeq instruments. The FDA said an unauthorized user could exploit the vulnerability by taking control of the instrument remotely; alter settings, configurations, software, or data on the instrument or customer's network; or impact patient test results by causing the instrument to provide no results, or incorrect, altered results. There is also the potential for data breach.
Illumina has developed a software patch to protect against exploitation of the vulnerability and is working to provide a permanent software fix, the firm said in a statement. "Illumina takes data privacy and cybersecurity very seriously and prioritizes instrument security and the protection of genomic and personal data," the firm said.
The FDA advised users to review information sent by Illumina and immediately download and install the software patch.
According to the FDA, Illumina sent notifications to affected customers on May 3, 2022, instructing them to check instruments for signs of exploitation. The vulnerability had been reported to Illumina by Pentest, a UK-based cybersecurity company, according to an advisory from the Cybersecurity & Infrastructure Security Agency (CISA), part of the US Department of Homeland Security. Illumina then reported the vulnerabilities to CISA.
It is unclear when Illumina learned of the vulnerabilities and when it reported them to CISA. Illumina did not immediately respond to additional questions about the timeline of discovering and reporting the vulnerabilities.
The FDA encouraged users to report any breaches or suspected breaches.