2026 DOJ and state AG enforcement trends for health care and life sciences

Health care and life sciences enforcement is a top priority in 2026, and the playbook is becoming broader and more coordinated. Federal prosecutors and state attorneys general (AGs) are continuing to press traditional fraud and abuse theories, but they are doing so with more sophisticated data tools, more frequent multi-agency actions and a willingness to package payment integrity issues with related theories involving controlled substances, consumer protection and privacy. In practical terms, issues that once might have been managed as a single compliance matter can now escalate quickly into parallel exposure across civil False Claims Act (FCA) investigations, criminal inquiries, administrative action and state enforcement litigation.

Data analytics, AI, and faster case generation

Regulators are increasingly using proactive data analytics to identify anomalous billing patterns and set up coordinated investigations quickly. The Department of Justice’s (DOJ) 2025 National Health Care Fraud Takedown, which involved 324 defendants and more than $14.6 billion in alleged intended loss, illustrates both the scale of current targeting and the degree of federal and state coordination, including participation by 12 state AG offices. In the same announcement, the DOJ described plans to create a Health Care Fraud Data Fusion Center intended to leverage cloud computing, artificial intelligence and advanced analytics to identify emerging fraud schemes.

In 2026, this matters because regulators can spot anomalies faster and with far less reliance on whistleblowers. Sudden utilization spikes, unusually high coding intensity and outlier prescribing or referral patterns are increasingly visible in claims and other data sets and can trigger scrutiny on their own. The operational risk is not limited to clearly improper conduct. Any scalable workflow that can repeatedly generate atypical patterns, including documentation prompts, standing orders, templated coding support or automated patient acquisition and scheduling, can attract investigative attention once those patterns stand out in comparative analyses.

False Claims Act intensity and coordinated civil, criminal and administrative pressure

The FCA remains the centerpiece for health care recoveries and a key engine for 2026 enforcement. The DOJ reported that FY 2025 FCA settlements and judgments exceeded $6.8 billion, the highest annual amount on record, with more than $5.7 billion tied to health care matters. The DOJ also reported record levels of qui tam activity and hundreds of government investigations opened during the same period.

For health care and life sciences companies, this points to a continued focus on enterprise-level theories that frame problems as systematic rather than episodic. The DOJ’s own reporting highlights continued emphasis on managed care, prescription drugs and medically unnecessary care. That framing tends to pull in incentive design, vendor relationships, internal monitoring and governance. It also increases the likelihood of parallel proceedings because the same facts can be viewed through civil FCA, criminal fraud and administrative exclusion or payment suspension lenses.

Managed care, risk adjustment and value-based incentive design

Medicare Advantage risk adjustment will likely remain one of the clearest managed care targets for 2026, and recent activity provides a practical road map. For example, the DOJ announced on Jan. 14 that Kaiser Permanente affiliates agreed to pay $556 million to resolve FCA allegations involving diagnosis coding practices tied to Medicare Advantage payments. Public reporting described allegations that included pressuring physicians to add diagnoses after visits, using “mining” approaches to identify codes and linking incentives to diagnosis capture.

This trend has broader implications beyond Medicare Advantage. As payers, physicians and other clinicians expand value-based contracting and risk-bearing arrangements, enforcement interest often follows the incentive structures that influence documentation, utilization and quality measurement. In 2026, companies should expect investigators to ask not only whether diagnoses and services were supported, but also how programs were designed, what tools and prompts were used, how clinician decision-making was protected from revenue pressure and what monitoring existed to detect drift. The highest-risk areas tend to be retrospective addenda policies, chart review and coding vendor oversight and compensation programs that can be interpreted as rewarding coding intensity rather than clinical accuracy.

Telehealth, digital health platforms and controlled substances

Telehealth enforcement is expected to remain intense in 2026, especially where platform business models intersect with controlled substance prescribing and aggressive consumer acquisition tactics. The DOJ’s Done Global press release from Dec. 17, 2025, describes an indictment alleging that a subscription-based digital health company and an affiliated medical practice conspired to provide easy access to more than 40 million pills of Adderall and other stimulants, including allegations involving prescribing without a legitimate medical purpose and related health care fraud theories.

At the same time, the regulatory environment remains dynamic. On Jan. 2, the Department of Health and Human Services (HHS) and the Drug Enforcement Administration announced a fourth temporary extension of telemedicine flexibilities that allow prescribing controlled medications without a prior in-person visit, extending from Jan. 1 through Dec. 31, 2026. That extension reduces care disruption but does not reduce enforcement risk. Prosecutors can still focus on whether prescribing practices align with professional standards, whether patient evaluation and follow-up are adequate, whether marketing creates misleading expectations of “easy access,” whether cross-state and licensure requirements are respected and whether platform or management structures effectively steer clinical decision-making.

Pharmacies, PBMs, prescription drug economics and opioid-related state actions

Pharmacy and pharmacy benefit manager enforcement is expanding beyond traditional manufacturer and distributor theories, and it is increasingly evident in both DOJ settlements and state AG litigation. On Dec. 2, 2025, the U.S. Attorney’s Office for the Southern District of New York announced a $37.76 million settlement with CVS resolving FCA allegations tied to insulin pen dispensing and billing practices, including premature refills, dispensing more insulin pens than prescriptions supported and underreporting days-of-supply. This reflects a broader risk pattern for 2026: Pharmacy operations that are heavily automated and high volume can generate systemic billing exposure if refill controls, days supply logic and payer rule adherence are not consistently enforced and documented.

State AGs are also pressing pharmacy benefit managers (PBMs) with opioid-focused “gatekeeper” narratives. West Virginia’s AG announced on Dec. 8, 2025, a lawsuit alleging that Optum and affiliates contributed to opioid oversupply and obstructed safeguards, illustrating how states may use consumer protection, racketeering-style, negligence and public nuisance theories to pursue PBMs and related entities. For 2026, companies should anticipate scrutiny of formulary and utilization management decisions, relationships with manufacturers, rebate and fee arrangements and how opioid controls are designed and operationalized across retail and mail channels.

Cybersecurity and health data privacy as enforcement multipliers

Cybersecurity and data practices are increasingly intertwined with health care enforcement risk in ways that can amplify exposure. On the federal side, the DOJ has explicitly tied cybersecurity compliance to FCA enforcement priorities through its Civil Cyber-Fraud Initiative, which, as the DOJ described in its FY 2024 FCA reporting, promotes cybersecurity compliance by holding contractors and grantees accountable for knowingly violating applicable requirements. The DOJ has also pursued health care-adjacent cybersecurity matters, including a February 2025 resolution involving a health benefits administrator and its parent company paying over $11 million to resolve allegations related to cybersecurity requirements in a government contract setting.

On the privacy side, enforcement pressure is rising from both regulators and state AGs. California’s AG announced in July 2025 what was described as the largest California Consumer Privacy Act settlement to date, involving Healthline and restrictions tied to sharing data that could reveal consumers’ medical conditions. Federal privacy expectations also remain active in the HIPAA context. HHS has published guidance addressing the use of online tracking technologies by HIPAA-covered entities and business associates, underscoring ongoing regulatory attention to how data is collected and shared through websites and mobile apps. The practical 2026 risk is compounding exposure where patient-facing digital experiences, advertising technology and analytics vendors intersect with sensitive health information, particularly if disclosures are not adequately assessed, documented and contractually controlled

Summary: What to watch in 2026

Taken together, the enforcement signals for 2026 are clear: Regulators will continue to pursue familiar fraud and abuse priorities, but with better data and more coordination across federal and state agencies. Investigations are increasingly likely to focus not only on claims accuracy, but also on the systems, incentives and vendor or platform relationships that shape coding, prescribing, billing and utilization decisions at scale. The net result is an enforcement environment in which matters develop faster, proceed on parallel tracks more often and reach more parts of the health care and life sciences ecosystem than in prior cycles.

Gabriel H. Scannapieco is a partner at Arnall Golden Gregory, co-chair of the firm’s Life Sciences industry team, and a former director at the U.S. Department of Justice Consumer Protection Branch. He has significant experience in complex civil and criminal litigation involving health care, consumer protection, and white-collar defense. He can be reached at [email protected].

Aaron M. Danzig is a partner and chair of the Government Investigations practice at Arnall Golden Gregory, co-chair of the Litigation & Dispute Resolution practice, and member of the Hospitals & Health Systems industry team. He is a litigator with significant trial experience in white collar criminal defense and business and intellectual property litigation. He can be reached at [email protected].