Three years after two Georgia Tech cybersecurity officials filed suit claiming the institution had fabricated scores submitted to the Department of Defense (DOD) regarding its safeguards for federal research projects, the institution, along with Georgia Tech Research Corporation (GTRC), agreed to pay $875,000.
The amount resolves False Claims Act (FCA) allegations that Georgia Tech’s work for the Air Force and Defense Advanced Research Projects Agency, part of DOD, did not comply with required security safeguards and thus was fraudulent.
Although the settlement amount pales in comparison to what was expected and based on previous settlements under what the Biden administration called the Civil Cyber-Fraud Initiative—including $1.25 million that Pennsylvania State University paid last year—Julie Bracker, the whistleblower attorney who brought both cases, told RRC her firm has “more than a dozen” similar cases filed under seal, with more in the works.
Thus, universities and other research organizations that must meet cybersecurity requirements shouldn’t assume they’ll get off lightly if similarly accused. Of course, defending against such accusations is often more costly than settlement payments themselves.
Georgia Tech and GTRC did not admit to wrongdoing as part of the settlement, a position they have maintained since the case began, generally arguing the contracts were for basic research that was exempt from certain cybersecurity protocols. Penn State also didn’t admit liability as part of its settlement. The Department of Justice (DOJ) did not require any corrective actions, such as enhanced cybersecurity efforts, as part of either of these settlements (it did in a prior FCA settlement agreement with Cleveland Clinic).
Georgia Tech would not answer any questions from RRC but instead supplied the following statement: “From the outset, Georgia Tech denied the government’s allegations that mischaracterized our commitment to cybersecurity. We worked hard to educate the government about the strong compliance efforts of our researchers and are pleased to avoid the distraction of litigation by resolving this matter without any admission of liability. Georgia Tech looks forward to continued collaboration with [DOD] and other federal partners in conducting ground-breaking research in a secure manner.”
DOJ announced the Georgia Tech settlement a day before the end of fiscal year (FY) 2025 and the shutdown that began Oct. 1, following Congress’ failure to enact appropriations legislation for FY 2026.
The agency accused Georgia Tech of failing to follow the National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, and implement other safeguards, such as those under the defense federal acquisition regulations. The claims related to two contracts for which the organizations were paid more than $30 million.[i]
Under the settlement, half of the $875,000 ($437,500) is restitution. Separately, GTRC agreed to pay the two whistleblowers a total of $201,250. Additionally, GTRC made an agreement for payment to Bracker, the terms of which were not made public. Bracker told RRC she could not disclose details of this agreement.
As RRC previously reported, the contracts at issue were with Georgia Tech’s Astrolavos Lab, which DOJ said “conducted sensitive cyber-defense research for DOD.” DOJ alleged that, “until December 2021, those entities failed to install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks” at the lab.
It also “alleged that until at least February 2020, there was no system security plan in place for the Astrolavos Lab to set out the cybersecurity controls that GTRC’s contracts required” and that “in December 2020, GTRC and Georgia Tech submitted a false summary level cybersecurity assessment score to DOD, which supposedly applied campus-wide.”
‘At the Beginning’ of Cases
The parties began settlement talks in May; seemingly impatient with the progress, District Court Judge J.P. Boulee of the Northern District of Georgia administratively closed the case in August.[ii] For a detailed timeline, see “Three Years From Qui Tam Suit to GA Tech Settlement.”[iii]
The FCA gives the government the authority to impose fines up to three times the amount it believes was obtained through fraudulent means. In its 99-page complaint-in-intervention filed Aug. 22, 2024, DOJ used the word “billions” five times.
“According to financial data published on its website, between fiscal years 2019 and 2022, GTRC entered into more than $1.6 billion in government contracts, primarily with the federal government and specifically DOD. In 2022 alone, GTRC entered into more than $423 million in government contracts, primarily with the federal government and specifically DOD,” the filing relates.
DOJ didn’t explain the payment amount, and Bracker said she could not comment on the settlement talks, citing confidentiality requirements. But aside from payment amounts, she warned institutions to expect similar enforcement actions.
“As the accelerating series of settlements in 2025 demonstrates, sealed cases under the cyberfraud initiative are still at the beginning phase of being made public, through settlement or otherwise. Bracker & Marcus has more than a dozen cyber cases under seal, with another dozen being investigated, and of course other firms are also filing these matters—we are really still just at the beginning,” she told RRC.
This is the second recent settlement of this type. On July 31, DOJ announced a $9.8 million settlement with Illumina Inc., a genome sequencing firm also initially sued by a whistleblower related to alleged cybersecurity violations; $4.3 million is restitution.
Penn State Lab Similarly Accused
In the Penn State case, DOJ contended it violated the FCA because it submitted or caused to be submitted false claims based on its “alleged failure, during the period from January 2018 to November 2023, to implement certain NIST SP 800-171 controls.”
Bracker had sued Penn State on Oct. 5, 2022, but while that case also concluded with a settlement, it unfolded differently. That suit was unsealed by a judge prior to DOJ even intervening. DOJ’s intervention took the form of the settlement agreement it announced Oct. 22, 2024.[iv]
At that time, Bracker told RRC the Penn State and Georgia Tech cases were “very similar in that they’re against academic research institutions who are not making sure that principal investigators are properly taking care of government-controlled unclassified information.”
The whistleblower in that case was Matthew Decker, the chief information officer at Penn State’s Applied Research Lab from November 2015 to March 2023. Decker received $250,000. Separately, Penn State agreed to pay Bracker’s firm $150,000.
In May 2024, Cleveland Clinic paid DOJ $7.6 million in a case that was primarily about foreign award support but that also had cybersecurity implications. DOJ contended the clinic did not report that an investigator had pending or other support from an institution in China when he applied for, and won, NIH awards.
The investigator contended he had made full disclosures to Cleveland Clinic and that someone else had entered his information using his credentials, which led to DOJ dropping FCA and wire fraud charges against him. As part of the settlement, NIH imposed a one-year corrective action plan on Cleveland Clinic and required it to “create a mandatory training program addressing requirements for disclosing other grant support, research security, and cyber security,” among other tasks.
