Healthcare fraud enforcement in 2025: A year of aggressive action and expanding risk

I. 2025 in context: Enforcement accelerates under a new administration

Second, the DOJ's Criminal Division included healthcare fraud as one of its ten priority "high-impact" areas for 2025. This was quickly followed by the largest healthcare fraud takedown in DOJ history, anchored by "Operation Gold Rush,"¹ with charges spanning telemedicine, genetic testing, kickbacks and technology-enabled schemes. The Health Care Fraud Strike Force was expanded into the District of Massachusetts, already one of the most active healthcare enforcement jurisdictions. The DOJ framed the Boston expansion in unusually forceful language, emphasizing the region's "world-class healthcare institutions, cutting-edge life sciences innovators and robust healthcare startup ecosystem"—a clear signal that the DOJ is not only watching closely, but intends to embed prosecutors within innovation hubs in order to scrutinize how complex commercial arrangements operate from the ground up.

This renewed emphasis on corporate criminal enforcement is further evidenced by two key developments. The Criminal Division expanded its Corporate Whistleblower Awards Pilot Program this year to cover federal healthcare benefit programs, which will likely lead to more parallel qui tam and criminal investigations. Furthermore, the two corporate criminal healthcare fraud resolutions announced in 2025 represent the first such resolutions since 2016, excluding the 2023 Corporate Enforcement Policy declination, underscoring this area's priority for the Criminal Division.²

Third, the DOJ reorganized and expanded its civil enforcement structure, announcing the new Enforcement & Affirmative Litigation Branch in September 2025. This new branch includes a rebranded Enforcement Section for Food, Drug, and Cosmetic Act (FDCA) and consumer protection cases, bringing medical device quality and deceptive digital marketing within the Enforcement Section's remit. This enforcement focus and continued coordination with the Civil Division's Fraud Section promises DOJ's continued interest in overlapping FDCA and False Claims Act (FCA) theories. At the same time, the DOJ continues to prioritize using the FCA to enforce cybersecurity violations—from unpatched vulnerabilities in medical device software to a managed care contractor's failure to secure patient data networks.

Finally, 2025 saw an unusually high number of FCA trials, along with a significant appeal from a ten-figure trial judgment. These included high-stakes disputes involving drug pricing, marketing conduct, invalid prescriptions, overbilling, medical necessity and off-label promotion. The willingness of the DOJ and relators to try these cases rather than settle demonstrates an aggressive posture and remarkable confidence in juries, and in the underlying theories of liability. This overall enforcement intensity is further underscored by the massive volume of non-trial activity, with the DOJ securing substantial FCA settlements throughout the year, often targeting high-priority areas like Medicare Advantage, kickbacks and cybersecurity fraud. 2025 also saw a jump in enforcement activity by state attorneys general, with states more frequently taking an aggressive and sometimes leading role in pursuing headline FCA claims.

The message across these developments is unmistakable: The enforcement landscape is only expanding and diversifying, as it continues to touch every segment of the healthcare, life sciences and digital health industries, and the private capital markets that support them.

Back to top

II. The defining enforcement trends of 2025

1. AI and medical necessity: The next frontier of corporate healthcare liability

Artificial intelligence (AI) has begun moving from concept to concrete enforcement risk in 2025, as this year saw the government connect AI to medical necessity, upcoding and documentation integrity, particularly in the Medicare Advantage realm. The DOJ entered into its first non-prosecution agreement related to AI, involving a Medicare Advantage organization that used a proprietary platform to drive new enrollments through pharmacists in exchange for kickbacks.³ Long-running risk-adjustment litigation and resolutions provided the DOJ with a template for scrutinizing AI-driven chart reviews, coding vendor tools and retrospective documentation enhancements.

As AI tools are increasingly integrated into the delivery of care, the government is likely to argue that AI-enabled processes caused the submission of unlawful claims. DOJ and qui tam relators may name a parent company, private equity (PE) sponsor or management service organization (MSO) as a defendant when they direct the adoption of such a tool.

Telehealth and virtual care platforms also drew attention for AI-generated documentation and automated encounter summaries—areas ripe for scrutiny where clinical interactions may not fully align with generated documentation.

As enforcement agencies integrate AI into their own investigative toolkits, they are simultaneously signaling heightened expectations for AI governance within healthcare companies. Regulators increasingly view standards such as human-in-the-loop safeguards, model validation, hallucination controls and bias audits as essential, rather than merely aspirational, compliance features. This shift also supports a rapidly emerging "reckless disregard" theory of FCA liability tailored to AI. Where AI-enabled workflows generate risk-adjustment data, documentation or coding recommendations, the DOJ may argue that a company "had the data to know" that claims were inaccurate yet conveniently chose to ignore the red flags in real time. In other words, the traditional compliance narrative of slow, retrospective auditing loses credibility once a company deploys systems capable of revealing adverse trends immediately. The result is a shrinking margin for error as AI becomes both a tool of operational efficiency and a source of scienter for prosecutors and qui tam relators.

Simultaneously, state legislatures moved aggressively to regulate AI in healthcare, creating a patchwork of requirements that heighten exposure for multi-state operations. From Illinois' limitation on the use of AI in therapy and psychotherapy services⁴ and Maryland's new mandate requiring human review for any AI-driven insurance denials,⁵ to California's new "truth in AI" standards that require healthcare providers to disclose to patients whenever they are interacting with a Generative AI tool⁶—in this fragmented landscape, a regulatory foot-fault in one state is no longer just a local licensure issue. It may become the scienter predicate for a fraud investigation. Therefore, for multi-state healthcare and life-sciences organizations, the era of "one-size-fits-all" AI governance is effectively over. The new baseline is a localized, state-by-state compliance grid that must be mapped directly to federal reimbursement standards.

2. Marketing, patient support and remuneration risks continue

Anti-Kickback Statute (AKS) theories continued to be expansive. Enforcement touched:

• Speaker programs: Scrutiny of marketing efforts involving provider speaker programs remained a staple of AKS enforcement. As one example, this year a prominent global pharmaceutical manufacturer paid a substantial AKS-based FCA settlement over honorarium payments, repeated meals at high-end restaurants and travel expenses to choice destinations, all for speaking engagements that the government alleged had low educational value.⁷ Crucially, the government's complaint focused on the failure of the company's internal compliance controls to prevent these specific expenditures, noting that the company maintained or had access to data but failed to use it to detect abuses. This is a logical extension of the DOJ's push over the past few years for companies to make better use of data in their compliance programs. It indicates the DOJ is moving beyond penalizing the bribe itself to punishing the "compliance void," holding companies liable when they maintain sophisticated policies on paper but willfully ignore the internal data and monitoring failures that would reveal their failure in practice.
• Patient support and co-pay assistance: Patient-support programs intended to increase the accessibility for high-end rare disease treatments remained a focus. HHS-OIG issued a series of favorable advisory opinions regarding patient-support programs, relating to free product assistance, travel expenses, laboratory testing and charitable contributions.⁸ One pharmaceutical manufacturer faced allegations that its charitable program providing families of hemophilia patients with medical, educational and personal fitness support constituted a kickback. The manufacturer prevailed at trial.
• PBM and broker arrangements: The DOJ has zeroed in on the role of intermediaries, from PBMs to Medicare Advantage brokers. One of the year's most notable developments is an intervened qui tam lawsuit alleging that three major national insurers compensated brokers with marketing payments that were effectively kickbacks to induce plan enrollment. This intervention directly challenges the industry's reliance on "administrative fee" safe harbors, signaling that regulators will penalize any payment structure that functionally tracks enrollment volume.
• MSO arrangements: The DOJ continues to litigate a sprawling FCA qui tam lawsuit alleging kickbacks paid under the guise of MSO distributions. The case targets a complex scheme in which toxicology and blood-testing laboratories and hospitals allegedly made payments to referring physicians characterized as distributions on the physicians' investments returns in various MSOs.⁹ This a warning that reliance on "safe harbor" provisions often used to consolidate physician practices may not shield healthcare entities—or private equity sponsors—from liability if "investment returns" track referral volumes.
• Discounts and "office convenience" incentives: A settlement involving a medical device manufacturer illustrated that "remuneration" extends well beyond cash. The DOJ alleged that the supplier provided urologists with discounts, free samples and office supply cost savings in exchange for using the supplier's proprietary prescription form for prescribing catheters—a reminder that operational "perks" can carry the same liability as direct payments.¹⁰
• Marketing and use of digital health platforms: Digital health platforms could face escalating scrutiny for marketing claims that blur the line between lifestyle benefit, clinical claim and therapeutic assertion. Several investigations focused on platforms that overstated clinical efficacy¹¹—exemplified by the November 2025 conviction of executives for a US$100 million scheme utilizing deceptive ads and "auto-refill" technology to distribute Adderall,¹² and the parallel indictment for a US$2.7 million genetic testing fraud involving falsified Medicare enrollment documents¹³—blending AKS, FDCA misbranding and consumer protection theories into a single enforcement vector. For 2026, the risk is algorithmic: Regulators are increasingly treating software that prioritizes higher-margin products not as a tool, but as a "digital kickback" hardwired into the platform.

3. FDCA-FCA hybrid cases

As noted in a July 2025 White & Case alert, device and diagnostic manufacturers face rising exposure for conduct that bridges the gap between regulatory non-compliance and fraud. In 2025, the DOJ continued to use the FCA to police Food and Drug Administration (FDA) violations, effectively treating the "conditions of payment" as a mechanism to enforce "conditions of approval."

Key areas of convergence included:

• Use of unapproved or non-reimbursable diagnostic tests billed to government programs: This year saw multiple settlements alleging FCA violations for the marketing and reimbursement of devices for uses inconsistent with the parameters of FDA approval, as the DOJ continues to assert FCA theories based on alleged FDCA violations. For example, a diagnostic device manufacturer paid US$14.25 million to resolve allegations that it marketed a vision-testing device for populations and indications outside its cleared use.¹⁴
• Data integrity failures: In November, a wound care management company paid US$45 million to resolve allegations that it manipulated its electronic health record (EHR) system to automatically drive higher-level billing codes.¹⁵ This resolution, coupled with the DOJ's newly released enforcement priorities, signals that "data integrity" extends to the design of clinical workflows: If a system's default settings bias a physician toward a more expensive code, the software configuration itself may be deemed evidence of fraud.
• Fraudulent premarket sales and testing practices: The DOJ asserted both criminal and civil remedies against companies alleged to have deceived the government and the public about the FDA approval status of medical devices. In one particularly notable settlement, a knee implant manufacturer entered into a non-prosecution agreement for FDCA violations regarding the sales of two medical devices after an employee forged FDA 510(k) clearance documentation to sell uncleared devices. The company also paid US$38.5 million to settle FCA claims regarding the sale of knee replacement devices the company allegedly knew failed prematurely at a higher than acceptable rate, and AKS allegations related to consulting payments, international travel and entertainment to a surgeon who experienced problems with the knee replacement device.

Relatedly, DOJ and qui tam whistleblowers are aggressively pursuing allegations surrounding efforts to maximize prices and reimbursements charged to the government. In one significant case, a prominent PBM was found liable under the FCA in a bench trial for inflating pharmacy costs reported on Medicare Part D claims to offset lower costs paid on non-Medicare claims, resulting in a US$290 million judgment.¹⁶ Public comments from the DOJ confirm that the government will vigorously scrutinize device pricing as well, focusing on discounts, rebates, fees and price reporting to federal healthcare programs. Accordingly, finance departments must ensure drug and device companies do not use federal reimbursement margins to subsidize competitive pricing in commercial markets, at the risk of fraud liability.

4. Cybersecurity becomes a healthcare fraud issue

As noted in an August 2025 White & Case alert, the Civil Cyber-Fraud Initiative expanded materially into healthcare in 2025. Settlements with a leading genomic sequencing technology company and a major federal managed care contractor confirmed that cybersecurity failures can lead to FCA risk where a company's assurances to the government were inaccurate or misleading. Crucially, neither case involved an actual data breach. Rather, government allegations were triggered solely by the failure to meet privacy standards (NIST 800-53) and safety protocols (ISO 13485) promised in government contracts.¹⁷ Thus, just as a manufacturer cannot bill for a sterile device that has a broken seal, a healthcare company risks FCA liability for using software that violates its security certifications. Fraud occurs at the moment of the invoice, not the moment of the hack, and, therefore, for legal purposes, a security flaw can be asserted as a false claim even if patient data is never compromised or falsified.

Looking back into the crystal ball, the next wave of civil cyber-fraud enforcement will likely focus less on breaches themselves and more on misrepresentation and over-certification in government contracting. The government continues to expand its interpretation of "knowing recklessness," particularly where security attestations, SBOM obligations and third-party vendor access create exposure. Companies operating cloud-based health platforms, leveraging overseas support centers, or deploying AI-enabled tools should expect heightened scrutiny of how they verify and document cyber standards, not just how they respond to incidents.

5. Private equity in the spotlight—But with a changing enforcement temperature

The current administration appears more moderate toward private equity as a direct enforcement target compared to its predecessor. That said, the DOJ entered into a notable cybersecurity-related FCA settlement with a PE firm this year. The DOJ sought to impose liability on the PE firm for its portfolio company's failure to meet cybersecurity standards because the PE firm's personnel were actively involved in the allegedly non-compliant conduct. This settlement signals that if sponsor personnel step in to manage operational crises (like IT failures), they may bring the fund's assets into the scope of liability.

Additionally, states—including Massachusetts, Connecticut and Maine—introduced strict new reporting and oversight requirements on PE healthcare acquisitions. Massachusetts also has amended its state False Claims Act to add a new category of liability: for those with an ownership or investment interest in an entity that violates the state FCA.

Risk is shifting—not disappearing. The new dynamic is defined by state-level regulatory friction and private litigation. Deal-stage diligence checklists should now include:

• AI tool validation
• Coding and billing trend analysis
• Compensation and MSO arrangement audits
• Review of marketing claims and digital content
• Cybersecurity systems and prior vulnerabilities
• Well-developed whistleblower risk indicators

6. FCA healthcare and life sciences trials

2025 delivered several well-publicized FCA and healthcare fraud trials—a notably high one-year volume in the history of the statute. FCA enforcement has seen an increase in litigation involving healthcare and life sciences companies in recent years, but trials have been relatively rare. Coming years may signal more trial-heavy FCA practice, with the government, qui tam whistleblowers and defendants more willing to test their arguments in front of juries.

• CVS/Omnicare (invalid prescriptions)

  The government tested expansive theories regarding "rollover" prescriptions automatically ordered on expired or invalid prescriptions without physician consultation, and a corporate parent's liability for a subsidiary's conduct. Crucially, the court held the corporate parent jointly and severally liable for US$164.8 million in penalties based solely on its participation in the claims process, establishing that a parent company faces statutory exposure even if a jury finds it caused no distinct financial loss.¹⁹ The trial highlighted how documentation gaps, internal communications, management pressure and unaddressed compliance risks can evolve into multi-year FCA exposure.

• CVS Caremark (spread pricing)

  In a rare FCA bench trial, the court found liability for inflating plan sponsor drug costs reported on Medicare Part D claims submitted by PBMs. The non-intervened case underscored qui tam relators' increasing readiness to litigate sophisticated reimbursement and data-reporting theories rather than rely solely on settlement leverage.²⁰

• SuperValu (usual & customary pricing)

  Following the Supreme Court's 2023 decision in United States ex rel. Schutte v. SuperValu on FCA scienter, the remanded litigation re-emerged as a key flashpoint for subjective intent standards and causation/damages. Trial proceedings showed how plaintiffs can use employee testimony, internal emails, regulatory guidance and pricing records to establish scienter. The defendants ultimately exploited the complexities of Medicare Part B reimbursement rules to persuade the jury to find no damages.

• Novo Nordisk (AKS)

  In a major defense victory in November, a federal jury sided with Novo Nordisk in a trial led by the Washington State Attorney General.²¹ The case tested certain theories regarding off-label marketing and whether charitable patient support—such as medical expenses, gym memberships, and educational supplies such as laptops and tutoring—constituted prohibited remuneration.

• Ferncreek Cardiology, P.A. (medical necessity)

  A North Carolina jury found in favor of a cardiology practice and member cardiologists alleged to have performed thousands of medically unnecessary cardiac procedures.²² The result was a rare loss in an FCA trial for the DOJ, which intervened in the case along with the state of North Carolina. The jury's conclusion that the procedures were medically necessary suggests, similar to the result in the Novo Nordisk trial, that deference to medical judgment and the doctor-patient relationship are powerful narratives to finders of fact.

• Healthcare Associates of Texas, LLC (overbilling)

  In a non-intervened case litigated by a former employee turned qui tam relator, a jury found a provider group and individual defendants liable for submitting claims that violated a variety of different Medicare rules, including claims misidentifying the rendering provider, billing for laboratory and imaging services not allowed under Medicare "incident to" service rules, and billing for services performed by unapproved providers. The trial result illustrates how compliance gaps and persistent documentation errors can lead to years of FCA liability, whether the DOJ or a whistleblower takes the lead.²³

• Janssen Products (off-label promotion)

  While the verdict in this case was reached in late 2024, the final judgment of US$1.64 billion was entered in March 2025.²⁴ The jury's verdict shows that FCA off-label marketing claims—here, litigated by a qui tam relator after the DOJ's declination—remain potent despite judicial constructions imposing limits on this theory of FCA liability. The case is currently on appeal, with the validity of the trial court's jury instruction on FCA liability for off-label marketing among the issues in dispute.

Across these disputes, a few themes dominated. First, the government appears confident in presenting highly technical evidence to finders of fact, including juries—from risk-adjustment algorithms to complex PBM pricing structures. Second, relators appear emboldened, taking to trial cases that historically might have settled. Finally, defendants are increasingly willing to present their defense to factfinders, with mixed results—ranging from complete defense verdicts to liability and adverse verdicts resulting in massive damages and penalties.

The Supreme Court's 2023 SuperValu decision deserves a special call-out here, as its ramifications continued to unfold in ongoing investigations and litigation. The Court's decision reinforced that FCA scienter turns on what the defendant actually believed at the time a claim was submitted, rather than on a later-discovered "objectively reasonable" interpretation of ambiguous regulations. Although the Court rejected the notion that regulatory ambiguity automatically can defeat proof of scienter, it expressly preserved an avenue for honest-mistake or good-faith-interpretation defenses, provided defendants can show contemporaneous subjective belief in the lawfulness of their conduct. In practice, SuperValu intensified scienter as a fact-intensive inquiry into state of mind, internal deliberations and compliance posture, and barred defendants from justifying conduct solely through post-hoc legal rationalizations. This shift has proved significant because it expanded the importance of documenting real-time legal analysis and interpretive uncertainty. This continues to be key to affirmatively rebutting proof of scienter.

The willingness to test aggressive theories of liability signals that 2026 will be a year of high-stakes litigation, where the DOJ and plaintiffs are willing to push novel arguments to trial, and defendants are increasingly emboldened to take them to verdict. Additionally, exorbitant FCA penalties, sometimes dwarfing damages amounts, are leading the DOJ to proceed with caution in penalties it seeks and may subject penalty assessments to appellate court scrutiny.

Back to top

III. Innovator company enforcement themes

View the full image here (PDF)

Back to top

IV. AI in the chain of care

View the full image here (PDF)

Back to top

Looking ahead: Enforcement predictions for 2026

1. Enforcement volume will increase as DOJ leadership consolidates

With the DOJ's healthcare fraud leadership in place, 2026 is expected to bring more coordinated and aggressive investigations. Interagency collaboration with HHS-OIG, CMS, FDA and the Federal Bureau of Investigation (FBI) will accelerate multi-theory cases that blend billing, AI, cybersecurity and FDCA violations. Simultaneously, severe staffing cuts at HHS and turnover at the DOJ will draw out investigations. Companies should expect longer, more complex inquiries with broader document and data requests.

Simultaneously, government agencies are actively building internal data mining capabilities to analyze claims data, coding patterns, telehealth usage and device safety anomalies. Companies that rely on AI for clinical documentation, coding or patient engagement will face heightened scrutiny around model bias, hallucinations and human oversight. Expect the DOJ to frame AI-related inaccuracies as "reckless disregard" under the FCA scienter standard if strict human-in-the-loop protocols are absent, which could lead to a change in traditional compliance. For decades, companies have relied on auditing a "random sample" of charts to prove they are compliant. However, that logic collapses when AI enters the loop, as deploying AI tools can reveal adverse trends or failures immediately, unlike the traditional human reporting cycle. Continuing to rely on slow, sample-based auditing while possessing AI capabilities could expose companies to allegations that they knowingly ignored the "total picture" data their own systems were capable of generating.

Tactical actions to prepare: Implement privileged "AI governance memos" documenting rationale for AI deployment choices (this supports SuperValu subjective scienter protection). Conduct AI vendor "explainability" interviews to ensure the company can articulate how outputs are generated—before the DOJ asks.

2. Medicare Advantage risk adjustment will remain at the center of FCA litigation

The coming year will almost certainly see new investigations into risk score inflation, retrospective chart reviews and vendor-driven coding enhancements. States may join this enforcement wave as Medicare Advantage plans continue expanding enrollment. Medicare Advantage organizations that integrate AI into their risk-adjustment workflows will face dual exposure under both the FCA and evolving state AI laws.

Tactical actions to prepare: Launch micro-audits of all chart-review vendors, including qualitative audits of query language used to avoid suggestions that "nudge" clinicians. Add state-by-state MA compliance overlays to reflect divergence in emerging state AI statutes.

3. Private equity scrutiny will shift to state-level enforcement

While federal enforcement interest may have softened, states are filling the space, with new disclosure laws, transaction reviews and ownership reporting regimes, as well as the potential new theory of FCA liability in Massachusetts specifically targeting PE ownership of healthcare entities. Whistleblowers remain highly interested in alleging that PE investment structures drive unnecessary services or exploit telehealth platforms. In 2026, PE should anticipate increased state AG investigations, while remaining a focus for qui tam relators.

Tactical actions to prepare: Create state transaction-reporting heat maps to identify jurisdictions that require heightened review for PE ownership structures. Introduce deal-stage "remuneration sensitivity analyses" assessing where PE-driven efficiency initiatives could appear to influence clinical volume.

4. Hybrid FDCA–FCA theories will continue to expand

The DOJ's new Enforcement & Affirmative Litigation Branch will advance priority cases involving unapproved diagnostics, device quality failures and misleading direct-to-consumer (DTC) advertising. At the same time, the government continues to view FDCA violations not just as regulatory failures, but as fraud when linked to reimbursement requests. Companies with global supply chains should expect heightened scrutiny of overseas testing, data integrity and manufacturing certifications.

Tactical actions to prepare: Perform failure-mode walk-throughs for devices or diagnostics to identify points where incorrect labeling, settings or indications could create FCA exposure. Implement "global provenance testing" documentation, showing traceability of data, testing, and manufacturing inputs across borders.

5. Increase in trials will reshape settlement dynamics

The increasing willingness of the DOJ, relators and defendants—including prominent, multinational companies—to take FCA cases to trial will continue. This is especially likely in non-intervened cases led by qui tam relators, emboldened by the general trend of relators' success in trying FCA cases. Recent defense victories on liability and damages are likely to lead to more well-resourced defendants being willing to present their defenses to juries rather than settle cases with novel or expansive theories by the DOJ or relators. This trend will influence how boards and investors assess litigation exposure and reserve strategies.

Tactical actions to prepare: Maintain "regulatory ambiguity folders" showing contemporaneous uncertainty and internal legal consultation. Implement pre-emptive expert gap analyses to ensure the company can rebut coding, pricing or AI interpretation arguments.

6. Cybersecurity and digital infrastructure will become core healthcare fraud theories

Under the Civil Cyber-Fraud Initiative, companies will face liability when cybersecurity representations in government contracts or attestations prove inaccurate. As more networked medical devices, telehealth platforms and cloud-based tools enter the market, cybersecurity failures will increasingly be framed as patient safety risks. Expect cross-border enforcement where foreign vendors support US providers or handle protected patient data.

Tactical actions to prepare: Perform "attestation dry runs"—privileged walk-throughs of NIST, SBOM or ISO attestations to identify overstated capabilities. Introduce cross-border vendor privilege reviews for offshore technical support or cloud providers.

7. Globalization will pull non-US companies into the US enforcement orbit

Companies manufacturing devices or providing digital health services overseas will face greater scrutiny of testing accuracy, quality controls and data-handling practices. The DOJ has signaled particular concern about offshore coding vendors, support centers and tech companies assisting US providers. In 2026, cross-border internal investigations and voluntary disclosures will likely become more common.

Tactical actions to prepare: Perform cross-border coding vendor shadow audits, especially for offshore teams supporting billing or documentation. Create "global testing concordance reports" showing consistency between overseas validation studies and US.-submitted claims.

Back to top

What to do now: 2026 Healthcare fraud enforcement checklist

1. Tighten AI & technology controls

• Implement human-in-the-loop safeguards for all AI-driven documentation, coding, and risk-adjustment processes
• Conduct AI bias, accuracy and provenance audits with documented validation
• Maintain real-time analytics dashboards to surface FCA red flags early
• Map algorithmic decision points that could be construed as remuneration or "digital kickbacks"

2. Address cybersecurity & digital infrastructure

• Perform cyber attestation audits before submitting any government-facing certifications
• Inventory vendor access to PHI and government systems—including offshore teams
• Confirm patch management and version control aligned to NIST 800-53 and ISO 13485
• Maintain breach-decision logs demonstrating good-faith security oversight

3. Examine billing, pricing & documentation controls

• Deploy continuous billing surveillance to replace slow retrospective audits
• Conduct pricing transparency and spread-pricing reviews for MA and PBM relationships
• Audit digital marketing claims and AI-generated patient communications
• Validate documentation integrity where telehealth and automation intersect

4. Kickback & remuneration risk mitigation

• Review MSO distributions, broker incentives and administrative fee structures against AKS theory
• Enhance controls over speaker programs, co-pay support and digital perk offerings
• Audit value transfers embedded in health tech platforms

5. Private equity & deal-stage safeguards

• Add AI/technology risk mapping to acquisition diligence
• Evaluate coding and reimbursement trend drivers, not just historical performance
• Clarify board oversight of operational compliance in portfolio companies

6. Trial-readiness & documentation

• Preserve contemporaneous intent records that support subjective good faith (consistent with the SuperValu defense, discussed above)
• Maintain a unified compliance narrative across legal, finance and operations
• Prepare trial exhibit roadmaps for potential FCA disputes early

Back to top

Conclusion

2025 revealed a healthcare fraud landscape that is broad, aggressive and deeply interconnected with emerging technologies and evolving business models. For innovators, digital health companies and investors, the pace of change demands more than reactive compliance. It requires a strategic, predictive view of enforcement—one that considers how regulators connect data systems, financial arrangements and clinical workflows to construct theories of liability.

In 2026, companies that invest in forward-looking compliance—particularly around AI, cybersecurity, documentation integrity, pricing transparency and remuneration structures—will be positioned not only to withstand increased scrutiny, but to differentiate themselves through trust and operational excellence.

Back to top

Saar Neri (White & Case, Law Clerk, Boston) contributed to the development of this publication.

_{1 United States Department of Justice, United States Attorney's Office, Eastern District of New York, 11 Defendants Indicted in Multi-Billion Health Care Fraud Scheme, the Largest Case by Loss Amount Ever Charged by the Department Of Justice (June 30, 2025), See here.
2 Matthew R. Galeotti, Acting Assistant Att'y Gen., Crim. Div., U.S. Dep't of Just., Remarks at SIFMA's Anti-Money Laundering and Financial Crimes Conference (May 12, 2025), See here.
3 United States Department of Justice, Office of Public Affairs, Troy Health, Inc. Enters Non-Prosecution Agreement and Admits to Fraudulently Enrolling Medicare Beneficiaries and Identity Theft (Aug. 20, 2025), See here.
4 Illinois Department of Financial and Professional Regulation, Gov. Pritzker Signs Legislation Prohibiting AI Therapy in Illinois (Aug. 4, 2025), See here.
5 H.B. 820, 2025 Reg. Sess. (Md. 2025), Health Insurance - Utilization Review - Use of Artificial Intelligence, See here.
6 California Legislature, Assembly Bill 3030, Health care services: artificial intelligence (Sept. 28, 2024), See here.
7 United States Department of Justice, United States Attorney's Office, Southern District of New York, U.S. Attorney Announces $202 Million Settlement With Gilead Sciences For Using Speaker Programs To Pay Kickbacks To Doctors To Induce Them To Prescribe Gilead's Drugs (Apr. 29, 2025), See here.
8 HHS-OIG Advisory Opinion 25-01, 25-06, 25-07, and 25-10.
9 United States Department of Justice, Office of Public Affairs, Laboratory CEO, Marketers, and Physicians to Pay Over $6M to Settle Allegations of Management Service Organization and other Lab Testing Kickbacks (Sept. 8, 2025), See here.
10 United States Department of Justice, United States Attorney's Office, Northern District of Georgia, C.R. Bard, Inc. and Affiliates Pay $17 Million to Resolve Allegations of Healthcare Kickbacks (Jan. 23, 2025), See here.
11 United States Department of Justice, United States Attorney's Office, District of New Jersey, Diopsys, Inc. Agrees To Pay Up To $14.25 Million To Resolve Alleged Federal False Claims Act And State Law Violations Relating To Vision Testing (Mar. 27, 2025), See here; United States Department of Justice, Office of Public Affairs, Aesculap Implant Systems Agrees to Pay $38.5M to Resolve False Claims Act Allegations Related to Knee Implant Failures and Enters into a Non-Prosecution Agreement Related to the Introduction of Two Adulterated Medical Devices into Interstate Commerce (Nov. 17, 2025), See here.
12 United States Department of Justice, Office of Public Affairs, Founder/CEO and Clinical President of Digital Health Company Convicted in $100M Adderall Distribution and Health Care Fraud Scheme (Nov. 20, 2025), See here.
13 United States Department of Justice, Office of Public Affairs, U.K. Citizen Indicted for $2.7M Telehealth Scheme (Nov. 21, 2025), See here.
14 United States Department of Justice, Office of Public Affairs, Diopsys Inc. Agrees to Pay up to $14.25 Million to Resolve Alleged Federal False Claims Act and State Law Violations Relating to Vision Testing (Mar. 28, 2025), See here.
15 United States Department of Justice, Office of Public Affairs, Vohra Wound Physicians and its Owner Agree to Pay $45M to Settle Fraud Allegations of Overbilling for Wound Care Services (Nov. 21, 2025), See here.
16 United States ex rel. Behnke v. CVS Caremark Corp., No. 2:14-cv-00824 (E.D. Pa. Aug. 19, 2025)
17 United States Department of Justice, Office of Public Affairs, Illumina Inc. to Pay $9.8M to Resolve False Claims Act Allegations Arising from Cybersecurity Vulnerabilities in Genomic Sequencing Systems (July 31, 2025), See here; United States Department of Justice, Office of Public Affairs, Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations (Feb. 18, 2025), See here.
18 United States Department of Justice, Office of Public Affairs, California Defense Contractor and Private Equity Firm Agree to Pay $1.75M to Resolve False Claims Act Liability Relating to Voluntary Self-Disclosure of Cybersecurity Violations (July 31, 2025), See here.
19 United States ex rel. Bassan v. Omnicare, Inc., 2025 LX 302042 (S.D.N.Y.).
20 See supra note 16.
21 Siegel v. Novo Nordisk, Inc., No. 3:23-cv-05459 (W.D. Wash.).
22 United States, et al. ex rel. Devarapally, M.D. v. Ferncreek Cardiology, P.A., No. 5:17-cv-616 (E.D.N.C.)
23 United States ex rel. Taylor v. Healthcare Assocs. of Tex., LLC, No. 3:19-cv-02486 (N.D. Tex.).
24 United States ex rel. Penelow v. Janssen Prods., LP, No. 3:12-cv-07758 (D.N.J.)}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}