Healthcare Fraud and False Claims
- Aetna Inc. agreed to pay $117,700,000 to resolve allegations that it violated the False Claims Act by submitting inaccurate diagnosis codes for Medicare Advantage enrollees to inflate payments from the Centers for Medicare & Medicaid Services. The government alleged that in 2015, Aetna operated a chart review program that added diagnosis codes to obtain payments but failed to delete codes that chart reviews showed were unsupported, which would have required reimbursement to CMS. The settlement also resolves allegations that from 2018 to 2023, Aetna submitted or failed to delete diagnosis codes for morbid obesity for individuals whose Body Mass Index recordings were inconsistent with that diagnosis. A former Aetna risk-adjustment coding auditor who filed a whistleblower lawsuit will receive $2,012,500 from the settlement. The settlement resolves allegations only and there has been no determination of liability. Source: U.S. Department of Justice
- A Legal Permanent Resident from Mexico received a 168-month federal prison sentence for orchestrating a $6.85 million healthcare fraud scheme through his ambulance company. Orlando Omar Garcia-Moya, 54, of Piedras Negras, founded Fleet Ambulance Service Inc. in 2008 and, along with two employees, Oscar Gutierrez and Melody Ann Villarreal, fraudulently billed Medicare and Medicaid for services they were not authorized to provide. The conspirators created run sheets for patients who were not transported, used personal vehicles or unapproved vehicles for medical transfers, and listed “ghost employees” on documentation. Between 2008 and 2016, the company billed more than $17.9 million and received $6,856,186.85 from Medicare and Medicaid. Chief U.S. District Judge Alia Moses ordered Garcia-Moya to pay $6,856,186.85 in restitution, while his co-conspirators received sentences of 60 and 48 months in prison. Source: U.S. Attorney’s Office, Western District of Texas
Privacy, Data Security, and HIPAA
- The FTC reached settlements in December 2024 with Mobilewalla, Inc. and Gravy Analytics, Inc. for tracking and selling location data from health centers without user consent. Mobilewalla created audience segments from this data, including pregnant women identified through pregnancy center visits, and sold the information to clients for targeted advertising. Gravy Analytics collected location data without consent, sold data based on health-related characteristics, and geofenced medical events to sell the resulting data. Both companies are now prohibited from selling, disclosing, or using location data from health clinics, religious institutions, labor union offices, and other locations associated with protected status. These settlements occurred under the previous administration, leaving questions about how the new FTC will handle similar cases involving geolocation data that falls outside HIPAA regulations. Source: Healthcare Law Insights
- California dentists face risks from patients recording office visits without consent, which violates both HIPAA and state privacy laws. The California Invasion of Privacy Act requires all parties to consent to recording conversations, and violations can result in fines up to $2,500 per violation and up to one year in jail. Patients have the right to access their dental records under HIPAA, but they do not have the right to record conversations with their dentist without consent. Dental practices should post signage prohibiting recording and staff should confirm that recording functions on wearable devices like smart glasses are turned off. If staff discover a patient recording without consent, they must instruct the patient to stop and report incidents involving protected health information to the U.S. Department of Health and Human Services Office for Civil Rights. Source: CDA
- Legacy protected health information in email systems poses risks for HIPAA-covered entities during business email compromise events. A handful of compromised emails can contain PHI for tens or hundreds of thousands of individuals, particularly when organizations lack email archiving systems and retain PHI in emails from years ago. The Department of Health and Human Services Office for Civil Rights requires policies and procedures to guard against unauthorized access to PHI in email systems, yet healthcare organizations continue to underestimate the volume of PHI in their systems. Healthcare entities can implement security measures including archiving emails, using encryption for PHI shared by email, and deploying email filters to detect PHI before transmission. Internal emails, which typically contain the most PHI, often fall outside organizations’ encryption requirements despite presenting the most risk. Source: Data Counsel
- The HHS Office for Civil Rights is reviewing 4,700 public comments on proposed HIPAA Security Rule updates while the rule’s future remains uncertain under the Trump administration’s deregulatory agenda. OCR Director Paula M. Stannard told attendees at the HIMSS conference that no decisions have been made on which modifications will be finalized, but defended the proposal by arguing that cyberattacks cost more than compliance in terms of reputation damage, ransom payments, system remediation, civil lawsuits, and regulatory penalties. The Biden-era proposal would require more stringent security controls and eliminate the distinction between required and addressable implementation specifications, which Stannard said entities often treat as optional, resulting in lax security. More than 100 hospital systems and industry associations urged HHS in December 2025 to rescind the rule, citing financial burdens and unreasonable implementation timelines. Experts recommend healthcare organizations adopt best practices like the NIST Cybersecurity Framework rather than waiting for a mandate, noting healthcare has been the number one targeted industry for cyberattacks for 13 years. Source: TechTarget
Cybersecurity
- The Trump Administration released a cybersecurity strategy and executive order on March 6, 2026, to combat cyber threats through offensive operations and private sector engagement. The strategy outlines six pillars of action, including shaping adversary behavior, streamlining regulations, modernizing federal networks, securing critical infrastructure, sustaining superiority in emerging technologies, and building cyber workforce capacity. The executive order directs the Attorney General and Secretaries of War, Homeland Security, and State to develop an action plan within 120 days to identify and dismantle Transnational Criminal Organizations responsible for cybercrime, including ransomware, phishing, sextortion, and scam centers. The Attorney General must establish a Victims Restoration Program within 90 days to provide restitution to fraud victims from seized criminal funds. The One Big Beautiful Bill Act allocated $1 billion for offensive cyber operations to support these efforts. Source: Global Policy Watch
- Stryker, a Michigan-based medical device manufacturer with operations in 61 countries and over 56,000 employees, experienced a data wiping cyberattack claimed by Iran-linked hacking group Handala. The group stated it wiped more than 200,000 systems, servers, and mobile devices across 79 Stryker offices and exfiltrated 50 terabytes of data in retaliation for attacks on Iran. Security researcher Kevin Beaumont indicated the attackers accessed Stryker’s Active Directory services and used Microsoft Intune to remotely wipe Windows-based devices. Handala, which Palo Alto Networks links to Iran’s Ministry of Intelligence and Security, targeted Stryker due to its presence in Israel, including its 2019 acquisition of orthopedic device maker OrthoSpace. Stryker filed with the SEC that the attack caused disruptions to information systems and business applications with no timeline for recovery. Source: HIPAA Journal
HHS Regulatory and Policy Developments
- The U.S. Department of Health and Human Services announced on March 27, 2025, a reorganization that consolidates 28 divisions into 15 and reduces regional offices from 10 to 5. The restructuring, part of the Department of Government Efficiency Workforce Optimization Initiative, will reduce the workforce from approximately 82,000 to 62,000 employees and generate an estimated $1.8 billion in savings per year. The reorganization creates the Administration for a Healthy America (AHA), which integrates programs from OASH, HRSA, SAMHSA, ATSDR, and NIOSH, with a Fiscal Year 2026 budget request of $20.6 billion for telehealth modernization, behavioral health initiatives, environmental health research, and rural health workforce programs. HHS will establish an Assistant Secretary for Enforcement to oversee the Office for Civil Rights, Departmental Appeals Board, and Office of Medicare Hearings and Appeals. Healthcare organizations may experience delays in response times for inquiries and investigations due to workforce reductions. Source: Healthcare Law Insights
- HHS withdrew a proposed exception in December 2025 that would have allowed healthcare providers to tailor patients’ electronic access to health information based on patient preferences. The Requestor Preferences Exception, originally proposed in August 2024, was withdrawn as part of the Trump Administration’s deregulatory initiative, creating complications for radiology providers who must navigate both federal information blocking rules and state laws requiring test result embargoes. States including Texas and Kentucky have enacted laws mandating delays before certain sensitive test results can be electronically disclosed to patients—Texas requires a 72-hour delay for pathology or radiology reports showing potential malignancy or genetic markers—while federal rules under 45 CFR Part 171 generally require timely release of finalized test results through electronic health record systems and patient portals. The American College of Radiology urged HHS in February 2026 to codify rather than withdraw the exception, arguing it would enable providers to share test results according to patient timeframes without triggering information blocking liability. Healthcare providers operating in states with mandatory embargo laws must assess whether their practices fall within the “required by law” exclusion and ensure compliance with federal rules after statutory delay periods expire. Source: ReedSmith
Artificial Intelligence in Healthcare
- Physician AI adoption has surged to 72% in 2026, according to the American Medical Association’s survey of 2,051 U.S. physicians, up from 38% in 2023. The most common use case is summarizing medical research and standards of care (39%), while 73% of physicians believe AI can reduce administrative workload and 70% say it will offload clinical tasks. However, 41% of physicians report that AI use will harm patient privacy, and 88% express concern about skill loss. The top factors facilitating adoption are data privacy assurances from employers and EHR vendors (70%) and validation of AI safety and efficacy by a trusted entity with continuous monitoring (66%). Meanwhile, 92% of physicians want more training on AI tools, with 55% seeking consultation on organizational AI decisions and 30% wanting implementation responsibility. Source: TechTarget
- Texas enacted a law regulating artificial intelligence systems that applies to any entity conducting business in Texas, producing products used by Texas residents, or developing AI systems in the state. Governor Greg Abbott signed the Texas Responsible Artificial Intelligence Governance Act on June 22, 2025, and it took effect on January 1, 2026. The law prohibits developing or deploying AI systems for intentional discrimination based on protected classes, manipulating human behavior, infringing constitutional rights, or producing certain content, but clarifies that disparate impact alone does not constitute prohibited discrimination. The Texas Attorney General holds enforcement authority under the statute, with civil penalties ranging from $10,000 to $200,000 per violation and a 60-day cure period. Companies can establish defenses by conducting internal audits, using third-party testing, or adhering to frameworks such as the NIST AI Risk Management Framework. Source: Sheppard Mullin
- Microsoft launched Copilot Health as an AI assistant that enables consumers to review medical records, prepare for doctor appointments, and receive personalized health insights. The platform integrates medical records from more than 50,000 U.S. provider organizations and health data from over 50 wearable devices including Apple HealthKit, Oura, and Fitbit. Microsoft handles more than 50 million health questions daily across its AI products and built Copilot Health with medical intelligence from organizations across 50 countries, verified by its clinical team using National Academy of Medicine principles. The tool is not designed to replace physicians or provide definitive diagnoses, and user data is protected with encryption and not used for model training. The platform is in testing with plans for phased rollout, joining recent health AI launches from OpenAI and Amazon. Source: Fierce Healthcare
Industry Transactions and Business Disputes
- DSO affiliation among U.S. dentists grew from 7.2% in 2015 to 16.1% in 2024, representing 124% growth over the decade. The trend is more pronounced among dentists with fewer than 10 years of experience, with 27% affiliated with a DSO in 2024. The platforms that outperform execute on operational integration and design liquidity from the outset, as these decisions shape margin performance, dentist retention, and exit outcomes. Without pre-close mapping of information systems, workflows, and governance structures, the first several months after closing are consumed by reconciling data instead of improving performance. Investors now focus on margin durability, reporting consistency, dentist retention, and governance clarity rather than acquisition volume alone. Source: VMG Health
- A Business Court ruled that Apex Health cannot pursue claims against Atrium Health over a failed Medicare Advantage plan partnership because Apex failed to include the co-branding and partnership commitments from their Letter of Intent in the final agreement. In Apex Health, Inc. v. Atrium Health, Inc., 2026 NCBC 10, the parties’ LOI referenced a “co-branded” Medicare Advantage plan where Atrium would provide support as a “true partner,” but the final agreement only required Atrium to use “commercially reasonable efforts” to support marketing efforts with no co-branding commitment or marketing specifics. Apex alleged it suffered $62 million in losses when the plan attracted fewer than 50 enrollees in 2021 and 150 in 2022. The Court denied Apex’s motion to amend its complaint to add a Chapter 75 claim, finding the allegations of deception did not meet the “egregious and aggravating circumstances” standard and noting Apex waited months after discovery revealed the relevant documents to seek the amendment. The Court observed that given Apex’s sophistication and experience in the industry, it could have done more to set out its expectations regarding co-branding and partnership in the agreement itself. Source: It’s Just Business
- Function Health filed a lawsuit against Superpower Health on January 26, 2026, in California federal court alleging false advertising and unfair competition under the Lanham Act and California state law. The complaint centers on Superpower’s marketing claims that it offers “100+ biomarkers” when Function alleges the platform actually provides approximately 55 direct laboratory measurements, with the remainder consisting of calculated metrics derived from existing lab values. Function also challenges Superpower’s representations about 24/7 clinical team availability and access to 3,000+ laboratory locations, claiming the clinical support consists of dieticians and health coaches responding within 24 hours on weekdays and that Quest Diagnostics operates approximately 2,250 patient service centers. Function, which was founded in 2021 and raised $298 million in Series B financing in November 2025, seeks an injunction, corrective advertising, monetary damages, disgorgement of profits, and attorneys’ fees. Superpower, founded in 2023, has not yet filed its answer to the complaint. Source: ArentFox Schiff
Provider Compliance and Payor Contracts
- Healthcare providers frequently overlook binding obligations in third-party payor agreements that can result in contract breaches. Some provider agreements mandate notification to payors within 24 hours of a HIPAA breach, though the requirement often lacks clarity on whether unsuccessful security penetration attempts must be reported. Contracts may require providers to notify or obtain approval from payors before ownership or leadership changes, with thresholds varying by agreement. Most agreements also require providers to report settlements, overpayments, and adverse actions taken by regulating bodies such as licensing boards or certification entities. Payor contracts typically mandate an “effective” compliance program and may include cultural competence standards, though payors provide minimal guidance on what meets these requirements. Source: Shumaker, Loop & Kendrick, LLP
- The FTC is reshaping the pharmacy benefit manager industry through settlements rather than litigation. On March 3, 2026, the FTC extended the stay in its administrative proceeding against OptumRx and Caremark Rx to allow time for settlement negotiations, following its Feb. 4, 2026 settlement with Express Scripts that imposes 10-year operational commitments on formulary, pricing, transparency and compensation structures. The FTC’s enforcement focuses on PBM rebate-driven incentives and formulary design affecting insulin access and patient out-of-pocket costs. Express Scripts agreed to incorporate the TrumpRx platform into its standard offering to plan sponsors and shift member out-of-pocket costs from list prices to net pricing. If all three PBMs reach similar settlements, the result could be an industry-wide regulatory baseline for PBM operations. Source: Polsinelli
State-Level Healthcare Regulation
- A three-judge panel of the 4th U.S. Circuit Court of Appeals upheld West Virginia’s ban on Medicaid coverage for gender-affirming surgeries. The panel overturned a lower court decision that found the 2004 statute violated anti-discrimination protections under two federal laws and the Equal Protection Clause. The decision extends the coverage denial to adults, not just children. The court accepted the state’s rationale to “encourage citizens to appreciate their sex” and “not become disdainful of it” as a constitutional aim. The ruling follows the Supreme Court’s decision in Skrmetti, which held that children could be denied puberty blockers and hormone therapy without violating the Equal Protection Clause. Source: Above the Law
- Texas Attorney General Ken Paxton issued a legal opinion on March 2 stating that a state law banning gender-affirming medical care for minors applies to mental health providers licensed by the Texas Behavioral Health Executive Council. The opinion establishes that the council’s licensees qualify as healthcare providers under the legislation. The law bars state funds from going to those who facilitate the prohibited transition procedures. The statute applies to individuals or entities who provide medical interventions as well as those who facilitate such interventions. Source: Becker’s Behavioral Health
- The Texas Medical Board published proposed regulations in the January 2, 2026 Texas Register that require physicians to be physically present onsite during all ketamine therapy sessions. Physicians must complete training in mental health treatment or a course on ketamine use for psychiatric conditions, and treatment is limited to diagnosed conditions including PTSD, treatment-resistant depression, and suicidal ideation. The regulations under Chapter 173, Subchapter B mandate clinic registration with two-year renewal periods and establish patient monitoring standards including continuous vital sign tracking and a minimum 30-minute post-treatment observation. Clinics must maintain adverse event logs for three years and face audits similar to pain management clinics. The rules are open for public comment with an estimated six to 12 months for compliance after adoption. Source: Hendershot Cowart P.C.
FDA Enforcement
- The FDA issued 30 warning letters to telehealth companies for marketing compounded GLP-1 medications in ways that violate federal law. The enforcement action, announced in March 2026 under Commissioner Makary, targets three violations: claims that compounded versions contain the “same active ingredient” as innovator drugs, marketing compounded drugs as “generic” equivalents, and use of “research use only” labeling for peptides intended for human consumption. This follows September 2025 enforcement actions that marked a shift from limited oversight to enforcement activity in the compounding and telehealth industry. Commissioner Makary stated in CNBC comments that he expects to see the end of unlawful mass compounding in 2026. The agency may pursue investigations or litigation beyond warning letters to address what it views as consumer deception and circumvention of the FDA approval process. Source: Sheppard