Fraud & Abuse / Enforcement
- Ruthia He, founder and former CEO of digital mental health company Done Global Inc., was sentenced to six years in prison and a $1 million fine for a scheme that distributed more than 37 million Adderall pills and defrauded insurers of over $12 million Co-defendant David Brody, Done’s former clinical president, was sentenced to two years in prison and a $1 million fine. Court documents described a subscription-based platform, management incentives, and clinical protocols that paid up to $60,000 per month to clinicians who signed Adderall prescriptions every 30 seconds and used an auto-refill feature that generated prescriptions with minimal follow-up, in some cases continuing after patients were placed on psychiatric holds or had died. He and Brody submitted false prior authorization requests claiming Done followed DSM-5 criteria and used urine drug screens, causing Medicare, Medicaid, and commercial insurers to pay approximately $12.3 million. He also moved operations and assets to China, used encrypted and disappearing messages, deleted documents, and researched non-extradition countries to obstruct the investigation; both defendants were convicted in November 2025. Source: U.S. Department of Justice
- The HHS Office of Inspector General concluded that a home health agency’s payment of subscription fees for preferential access to a digital referral management platform could violate the Anti-Kickback Statute Advisory Opinion 26-15 addressed a platform hospitals use during discharge planning to transmit referral requests electronically to subscribing providers, who could review and respond before non-subscribers relying on fax, email, or phone. OIG found the arrangement did not satisfy the safe harbor for referral services and gave paying providers a competitive advantage in obtaining federal healthcare program beneficiaries rather than an advantage based on quality of services. The agency identified risks of patient steering, unfair competition, and overutilization, noting that providers incurring participation costs may increase utilization of reimbursable services to recover them. OIG advised providers and technology vendors to evaluate whether platform payments represent fair-market-value services or payment for referral opportunities. Source: Clark Hill
- The Texas Supreme Court holds that omissions claims under the Texas Health Care Program Fraud Prevention Act require proof of materiality, even though Section 36.002(2) does not use the word “material.” Reading the Act against common-law fraud principles, the Court concluded that omitted information must have mattered to the government’s payment decision, reversing a court of appeals decision that had revived claims against a laboratory testing company accused of failing to offer Texas Medicaid the same pricing and discounts extended to other payors. A defendant may negate materiality at summary judgment by presenting competent evidence of undisputed facts incompatible with materiality, shifting the burden to the State to create a genuine issue, and a regulatory violation alone does not establish materiality. Citing Universal Health Services, Inc. v. United States ex rel. Escobar, the Court stated that the government’s continued payment despite knowledge of an alleged violation is strong evidence of immateriality, and here the defendant disclosed the conduct, provided billing data, and kept receiving payment without objection while the State offered no explanation for continuing to pay. Chief Justice Blacklock, joined by Justice Busby, dissented, arguing that the provision requires causation rather than materiality and that the Court added an element the Legislature omitted. Source: False Claims Act Blog
Reimbursement & Payment
- CMS proposed paying for 340B-acquired drugs at Average Sales Price minus 33.4% for calendar year 2027, a reduction estimated to cut Original Medicare drug payments by $4.55 billion and beneficiary drug payments by $1.15 billion in the first year The Hospital Outpatient Prospective Payment System and Ambulatory Surgical Center proposed rule, issued July 2, 2026, would raise OPPS and ASC payment rates by 2.4%, based on a 3.2% market basket increase reduced by a 0.8 percentage point productivity adjustment. Because the 340B change must be budget neutral, CMS would increase payments for non-drug services by an equivalent amount, and it separately proposed raising the annual conversion factor offset for the prior 340B remedy from 0.5% to 3%, projecting recovery of $7.8 billion by CY 2029. The rule would extend site-neutral payment to imaging-without-contrast services in excepted off-campus provider-based departments, continue the three-year phase-out of the Inpatient Only list by removing 638 services, and add prior authorization for eight botulinum toxin injection codes. CMS also included a request for information on strengthening hospital price transparency data. Source: VMG Health
HIPAA & Data Privacy
- The projected publication date for the final HIPAA Security Rule has moved to July 2027, according to the federal government’s Reginfo.gov regulatory site In January 2025, the HHS Office for Civil Rights published a proposed rule to strengthen the Security Rule in response to increases in data breaches affecting 500 or more individuals reported between 2018 and 2023. Although OCR characterized the proposal as primarily adding detail to existing requirements, it marked changes from the original rule and drew criticism from provider organizations and other stakeholders. It is unclear how the current administration will respond to those criticisms. Source: Holland & Knight
- The Texas Hearing Institute notified at least 29,498 individuals of a March 2026 cyberattack that exposed names, Social Security numbers, financial information, and medical records The Houston pediatric hearing center identified unauthorized network access on March 20, 2026, and confirmed the data exposure on April 22; the Interlock ransomware group listed the institute on its dark web leak site, claiming 540 gigabytes of stolen data. The same roundup reported that Family Health Centers of Southern Indiana disclosed a January 2026 intrusion affecting 7,037 residents, with a threat group claiming roughly 250 gigabytes exfiltrated. A breach at third-party billing vendor MCBS, LLC exposed patient data of Stephen W. Brown & Radiology Associates of Augusta between September 22 and 26, 2025. The Wisconsin Department of Health Services reported that benefit-increase letters for 8,157 Medicaid recipients were mailed to outdated addresses. Source: HIPAA Journal
Healthcare AI & Digital Health
- UpDoc Inc. received FDA clearance for what it describes as the first Software as a Medical Device that uses a patient-facing large language model The company announced on June 25, 2026, that its type 2 diabetes medication management software, issued a 510(k) clearance letter on December 23, 2025, uses a conversational module allowing patients to enter data by voice or chat and receive treatment plan instructions specified by a provider. Future clearances will depend on each product’s intended functions, safety, and efficacy, and clinical AI will likely continue to serve as a support tool for clinicians rather than make independent diagnostic or treatment decisions because of human-in-the-loop and state practice-of-medicine requirements. Developers should assess the applicable clearance pathway — 510(k), De Novo, or PMA — and monitor FDA expectations for post-market surveillance, labeling, cybersecurity, and predetermined change control plans. LLMs with access to patient data also raise HIPAA, privacy, consent, and data governance concerns that require vetting vendors and imposing data use and redisclosure limitations. Source: McGuireWoods
- Healthcare AI startups most often fail security diligence through application-layer and AI-specific gaps rather than cloud infrastructure A HIPAA-eligible cloud provider secures infrastructure but leaves the startup responsible for how protected health information flows through prompts, logs, vector databases, and third-party API calls. Fine-tuning models on patient data or pulling unredacted notes into logged prompts can cause a system to reproduce protected health information to other users, so data should be de-identified before entering embedding or fine-tuning pipelines. Agents that can submit prior authorizations or update records should have permissions scoped to the minimum action needed, with human approval required for irreversible steps, reflecting the risk OWASP tracks as excessive agency. Every subprocessor that touches protected health information needs a signed business associate agreement and documented data flow, and a HIPAA risk analysis should precede the first pilot; IBM’s 2025 report put the average healthcare breach at $7.42 million. Source: HackerNoon
- AI chatbots can widen access to mental health care but face limits in treatment Dr. Ryan Raimi’s research examines why some users perceive AI systems as more judgmental than human providers, identifying the agents’ lack of real-world experience and their absence of social and emotional understanding as primary factors. He noted that many people seeking mental health care want to be heard rather than given a solution, which chatbots struggle to provide because empathizing with a client remains difficult. Raimi sees stronger use cases in triage and screening, which follow a straightforward structure, operate around the clock at negligible cost, and could help clinics facing staffing shortages. He said screening applications are approaching global deployment. Source: KERA News
Pharmacy Benefit Managers
- Express Scripts filed a declaratory judgment action against Texas Attorney General Ken Paxton seeking to block release of an unredacted contract with the Texas A&M University System After a public information request, Express Scripts proposed redactions to shield trade secrets, pricing, and personal information, but the Texas Office of the Attorney General ruled on June 2, 2026, that the contract must be released in full because state agencies are required to post vendor contracts and the statutory trade secret exemptions do not apply. Express Scripts argues the interpretation renders the disclosure exceptions meaningless and that the commercial information qualifies as protected trade secrets under Texas case law. The Texas posting requirement applies only to state agencies and institutions of higher education, not school districts, municipalities, or counties. Mintz advised PBMs and health plans contracting with public entities to label and segregate confidential information, draft trade secret language tracking the applicable statute, and require prompt notice of public records requests. Source: Mintz
Healthcare Costs & Affordability
- Rising employer health insurance costs have prompted leaders in both chambers of the Texas Legislature to charge lawmakers with drafting solutions ahead of the session beginning in January A Business Group on Health report projected business health costs would rise 9% nationally in 2026, and KFF put average annual premiums for employer-sponsored family coverage just under $27,000. Employers and experts attribute rising premiums to consolidation among hospitals and intermediaries such as pharmacy benefit managers, and to a lack of price transparency that impedes negotiation. State Rep. James Frank, chair of the House Select Committee on Affordable Healthcare, filed a lawsuit in May against Blue Cross Blue Shield of Texas alleging the insurer concealed prescription drug rebates to inflate employer costs. The Texas Hospital Association countered that consolidation keeps financially struggling rural hospitals open, noting 14 rural Texas hospitals have closed since 2015. Source: The Texas Tribune
