Express Scripts Promises “Fundamental” PBM Practice Reforms To Settle FTC Lawsuit As Labor Department Proposes New PBM Compensation Transparency Requirements

February 4, 2026

Prescription benefit manager (“PBM”) Express Scripts, Inc. and its affiliated entities (collectively “ESI”) must adopt “fundamental” business practice changes intended to enhance transparency in its PBM practices under a “landmark settlement” that resolves its exposure to FTC charges that the nation’s three largest PBMs – ESI, Caremark Rx, and OptumRx and their affiliated group purchasing organizations (“GPOs”) – illegally used anticompetitive and unfair rebating practices to artificially inflate prices of and restrict patient access to insulin drugs made in a FTC lawsuit.

In Caremark Rx, Zinc Health Services, et al., In the Matter of (Insulin), the FTC sued the nation’s three largest PBMs, ESI, Caremark Rx, and OptumRx and their affiliated GPOs, for illegally driving up insulin prices and disrupting patient access to insulin by engaging in anticompetitive and unfair rebating practices.

Specifically, the FTC alleges these PBMs use of restrictive formularies that completely excluded certain drugs from coverage coerced pharmaceutical manufacturers to provide PBMs higher rebates to avoid exclusion of their products outright from the PBM formularies required for insurance coverage for tens of millions of patients. Leveraging this threat of exclusion, the FTC charges PBMs began demanding higher and higher rebates from drug manufacturers in exchange for placing those drugs on their restrictive formularies. While the race for higher rebates, in principle, should have reduced drug costs for patients, the FTC says the PBMs’ “insatiable demand for larger rebates” and manufacturers’ desire to preserve their own profits drove manufacturers steadily to increase the list price of their drugs. The FTC claims the resulting dynamic artificially inflated list prices disconnected from the actual cost of the drugs to insurers.

Since patients’ out-of-pocket expenses are directly or indirectly tied to these inflated prices, uninsured patients often pay the full list price, while insured patients with high deductibles or co-insurance also face higher costs based on these inflated list prices. As a result, as rebates and list prices rise in tandem, these groups of patients are burdened with higher out-of-pocket costs for their medications.

The FTC claims this broken system has far-reaching consequences. it causes opaque an drug pricing and reimbursement system, which benefits the PBMs and manufacturers, but deliberately obscures the full scope of harm and financial cost from insurers and patients unknowingly shouldering the burden of inflated list prices.

While the dynamic impacts many prescription drugs, the FTC says insulin is the poster child of this distorted system.

The FTC settlement resolves ESI’s liability exposure from the FTC lawsuit regarding insulin pricing and competition in return for it, making significant changes in its PBM pricing and other practices. Among other things, ESI agrees no longer to prefer drugs with high list prices on its standard formularies when cheaper equivalents exists. ESI also will delink its compensation from the savings it negotiates with drugmakers. ESI also commits to increase transparency, including reporting more data on drug spending and disclosing any kickbacks to brokers that help employers choose PBMs. ESI also agreed to reshore its group purchasing organization Ascent from Switzerland back to the United States.

GPOs, which aggregate PBMs’ members to improve their negotiating leverage with drugmakers, have been accused of facilitating shell games that allow PBMs to retain more drug rebates as profit. However oversight is tricky given no major GPOs are headquartered in the U.S.

The FTC predicts ESI deal will drive down patients’ out-of-pocket costs for drugs like insulin by up to $7 billion over a decade and bring millions of dollars in new revenue to community pharmacies by requiring Express Scripts to move its pharmacy reimbursement to a cost-plus model. If there’s noting that ESI reportedly .already was transitioning to a cost plus model. 

The FTC lawsuit continues against Caremark Rx, and UnitedHealth owned OptumRx and their affiliated GPOs.

The settlement announcement follows the U.S. Department of Labor e Department of Labor last week issued a proposed rule to improve transparency of fees collected by pharmacy benefit managers. If adopted as proposed, the rule will require PBMs to disclose rebates and other payments from drug manufacturers, compensation received when the price paid by a health plan for a prescription drug exceeds the amount reimbursed to the pharmacy, and payments recouped from pharmacies in connection with prescription drugs dispensed to a health plan. The proposal would also allow plan fiduciaries to audit the accuracy of PBM disclosures and provide additional relief if their PBM fails to meet its obligations under the rule.

The FTC and Labor Department actions are part of a series of federal activities undertaken in response to directives of President Donald Trump to provide greater healthcare transparency and bring down the cost of prescription medications and other healthcare costs. See, e.g. The Great Healthcare Plan; Making America Healthy Again by Empowering Patients with Clear, Accurate, and Actionable Healthcare Pricing Information; Delivering Most Favored-Nation Prescription Drug Pricing To American Patients (May 12, 2025).

PBMs, healthcare providers, health plans and their sponsors and their fiduciaries and service providers, pharmaceutical manufacturers and distributors, and consumers should carefully follow these and other developments do you understand there’re evolving responsibilities and opportunities under these changing rules and enforcement positions. receive updates on these another developments, follow this resource or email your contact information to the author.

If you have questions about this or other health care concerns, contact the author. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Peer recognized as “Top Rated Lawyer” and “LEGAL LEADER™ “Top Rated Lawyer” and “Best Lawyer” for her work in Health Care Law, Labor and Employment Law; ERISA & Employee Benefits,” and “Business and Commercial Law,” Cynthia Marcotte Stamer is an A Martindale-Hubble “AV-Preeminent” (Top 1%) attorneys board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation.. 

Author of numerous highly regarded works on health law and policy, Immediate Past Chair of the ABA International Section Life Sciences Committee and the current Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

She also has extensive experience helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Section 504, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of publications on “Transparent PBM Contracting,” “ACOs, Direct Contracting: Legal & Practical Challenges For Employers, Providers & TPAs,” “The Medicare Advantage Contracting Manual,” “Third Party Administrator (TPA) Contracting Principles and Strategies and a multitude of other highly regarded publications and presentations,  Stamer is widely recognized for her thought leadership on PBM and other managed care and health plan contracting and design, and a multitude of other health care, health plan and other health industry matters.  In addition, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations including service as the, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2026 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Antitrust, billing, Corporate Compliance, Costsharing, Employee Benefits, Employer, ERISA, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Plan, Health Plans, managed care, Medicare Advantage, Medicare Advantage, Medicare Prescription Drug Program, Monopoly, PBM, Physician, Prescription Drugs, Reimbursement, Self-Insured Group health Plans, Transparency | Permalink
Posted by Cynthia Marcotte Stamer

OCR’s 8th Investigation Announcement Clearly Warns HHS-Funded Organizations To Ensure Merit-Based Decisions & Manage Antisemitism & Other Prohibited Discrimination Risks

May 14, 2025

Academic medicine and other education, health care, Medicare or Medicaid Advantage insurers, and other organizations received another warning to update and strengthen the defensibility of their policies and practices system-wide for preventing anti-Semitism, and other race, color, national origin, race, religious or other discrimination from the Department of Health & Human Service’s May 13, 2025, announcement of another investigation of another university for anti-Semitism in violation of the Civil Rights Act of 1964 (“CRA”) and other federal civil rights laws. 

The Civil Rights Act of 1964 (the “CRA”), the Equal Protection Clause of the 14th Amendment to the United States Constitution, Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and various other federal laws discrimination on the basis of race, national origin, color and certain other status by covered government or private organizations by health care, Medicare and Medicaid Advantage, academic medicine and other education, child care, research and other HHS-funded organizations, employers and other entities.

Since President Donald J. Trump (“President Trump”) took office in January, HHS OCR, the Departments of Education and Justice, the Equal Employment Opportunity Commission (“EEOC”) and other federal agencies are aggressively investigating anti-Semitism, anti-Christianity, and certain other race, color, national origin and religious discrimination by academic medicine and other educational institutions, health care organizations, health insurers, employers and other organizations covered by these civil rights laws. These investigations and enforcement actions target prohibited discrimination in all forms, including the use of race, national original, color, sex, religion and other non-merit based criteria, even when those criteria are applied to promote racial balancing, diversity or other similar goals.

Trump Merit-Based Civil Rights Executive Orders Heighten Public & Private Civil Rights & Other Discrimination Risks

This heightened investigation and enforcement emphasis is a direct response to the directives of President Trump in a series of Executive Orders directing federal agencies zealously to combat anti-Semitism, anti-Christian, and other discrimination or bias based on race, color, national origin and religion.  See e.g., Executive Order 14188 – Additional Measures To Combat Anti-Semitism (January 29, 2025); Executive Order 14202, Eradicating Anti-Christian Bias (February 6, 2025); Executive Order 14291, Establishment of the Religious Liberty Commission (“May 11, 2025); and Executive Order 14291, Establishment of the Religious Liberty Commission (May 1, 2025).

As part of these directives, President Trump specifically singled out anti-Semitism for special attention and concern, In Executive Order 14188, for instance, President Trump directed HHS, the Justice Department and other agencies to vigorously enforce the Civil Rights Act to combat the rise of anti-Semitism and anti-Semitic incidents in the U.S. and around the world.  While Executive Order 14188 specifically targeted the use of the Civil Rights Act and other federal prohibitions against race, color and national origin discrimination to fight anti-Semitism, Executive Order 14188 also noted that anti-Semitism also can violate federal protections against religious discrimination, stating:

…[Title VII] prohibits discrimination on the basis of race, color, and national origin in programs and activities receiving Federal financial assistance. While Title VI does not cover discrimination based on religion, individuals who face discrimination on the basis of race, color, or national origin do not lose protection under Title VI for also being a member of a group that shares common religious practices. Discrimination against Jews may give rise to a Title VI violation when the discrimination is based on an individual’s race, color, or national origin.

The Trump Administration’s emphasis on protecting federal right of conscience and other religious freedom protections is made more perilous by his sharp disagreement, revocation, and characterization as patently illegal various key aspects of the interpretation and enforcement policies of the Biden, Obama and other previous administration regarding federal right of conscience and other religious freedom, sexual orientation, reproductive rights and other civil rights policies and protections. See e.g., Executive Order 14281 -Restoring Equality of Opportunity and Meritocracy (April 23, 2025). These directives and widespread coverage and publicity of the actions by HHS and other federal agencies to implement and enforce the Administration’s Merit Based interpretation and enforcement of civil rights laws are fueling a a slew of new federal investigations and enforcement, as well as encouraging and shaping private discrimination claims by both parties advantaged or disadvantaged by the Administration’s interpretations.

As reflected by OCR’s May 13, 2025 announcement of its investigation of complaints against a “prestigious” midwestern university (“University”), OCR and other federal agencies are responding by zealously investigating complaints of anti-Semitism or other race, color, national origin and religious discrimination by academic and other health care, education, health insurance and other organizations receiving federal funding under programs managed by HHS.

Announced OCR Investigations Since February Show HHS Enforcement Risks

According to OCR, the investigation announced on May 13, 2025, and other investigations “[are] part of a broader effort by the Administration’s multi-agency Joint Task Force to Combat Anti-Semitism. OCR opened the investigation against the University in response to a complaint from a multi-stakeholder advocacy organization that alleges “systemic concerns regarding the University’s actions to maintain a campus climate, academic direction, and institutional policy that ensures nondiscrimination on the basis of race, color, and national origin.” OCR says its investigation will examine whether the University complied with its obligations under Title VI not to discriminate against Jewish students, such that it denied them an educational opportunity or benefit.

Before OCR issued is May 13, 2025, announcement, OCR and other federal agencies previously had announced Civil Rights Act and other investigations of illegal anti-Semitism at four academic medical centers based on their response to protests and other anti-Semitic activity during graduation and other activities. In addition, OCR also had announced similarly high-profile investigation or enforcement actions against Harvard University and Harvard Law Review, a HHS-funded health services research scholarship program; eight medical schools and hospitals; a HHS-funded health research program;  a California-based medical school; the State of Maine and others for impermissibly applying race, color, national origin, sex, religious or other prohibited criteria in operating their programs.

The message from these and other HHS investigations and enforcements is clear.  “Institutions of higher education receiving HHS Federal financial assistance are responsible for complying with Title VI’s nondiscrimination mandates,” said Anthony Archeval, Acting Director of the Office for Civil Rights at HHS. “OCR is committed to ensuring students’ education, safety, and well-being are not disrupted due to discrimination at institutions funded by taxpayer dollars.”

Dear Colleague Letter Advises Academic Medicine & Other HHS-Funded Organizations On Implementing Merit Based Decisionmaking

While warning academic medical and other health care and other HHS-funded organizations against the application of non-merit based criteria and other prohibited race, national origin, color, sex and religious discrimination, OCR also has sought to encourage covered entities to adapt their policies and practices to comply with President Trump’s merit based interpretation of the Civil Rights Act and other federal civil rights law prohibitions against race, color, national origin, sex and religious discrimination through a May 6, 2025, “Dear Colleague” Letter.  In the dear Colleague Letter, OCR ‘clarifies’ its updated policies interpreting and enforcing what constitutes race-based discrimination under Title VI, Section 1557, and the Equal Protection Clause of the United States Constitution as applied to student admissions, academic and campus life, and the operation of university hospitals and clinics.

The Dear Colleague Letter reiterates that Title VI and Section 1557 prohibit academic medical and other covered organizations from relying on race-based criteria, racial stereotypes, and facially neutral criteria that operate as a pretext for race.  Instead, citing to the Supreme Court’s decision in Students for Fair Admissions v. Harvard, 600 U.S. 181 (2023) and President Trump’s Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity, the Dear Colleague Letter warns HHS funded academic medicine and other organizations that these federal rules require health care providers, and those in the health professions pipeline make their selections and decisions “based on merit and clinical skills, not race” or other non-merit based criteria even when the purpose of the use of the criteria is to promote diversity or racial-balancing.

The Dear Colleague Letter discloses that in applying its merit-based interpretation of Title VI and Section 1557, OCR will prioritize enforcement against HHS funded organizations that:

  • Use race as part of their application or employment processes;
  • Require diversity, equity, and inclusion statements in connection with hiring or promotion; or
  • Lack clear policies demonstrating compliance with Students for Fair Admissions v. Harvard.

Accordingly, the Dear Colleague Letter advises medical schools and other HHS-funded organizations to:

  • Ensure their policies and procedures comply with existing federal civil rights laws;
  • Discontinue criteria, tools, or processes that serve as substitutes for race or are intended to advance race-based decision-making; and
  • End reliance on third-party contractors, clearinghouses, or data aggregators that engage in prohibited uses of race.

Act Now To Mitigate Risks From Past, Current & Future Non-Merit Based Decisions & Other Prohibited Discrimination

The new emphasis of HHS and other agencies on investigation and enforcement of federal protections for race, national origin, and other civil rights laws alone should prompt all health care and other HHS-regulated authorities prospectively to reevaluate and update their own practices to strengthen their defensibility under new standards.

As the Trump Administration civil rights directives and interpretations apply to all federal agencies, all organizations should consider and redress their exposure to civil rights or other discrimination under EEOC and other workforce, Department of Justice, and other applicable agency rules when assessing the adequacy of their existing policies and practices.

Organizations also should anticipate the likely need to defend past actions taking into account given the practice of HHS and other agency to apply the merit-based civil rights law interpretations of the Trump Administration even to events and actions that occurred while organizations were subject to the diversity, equity and inclusion friendly interpretations of federal civil rights laws during the Biden Administration. Since the investigation and enforcement actions announced by HHS and other agencies so far retroactively apply the newly announced Trump-era interpretations and standards to investigations of events and actions that occurred during the Biden Administration, prospective changes to enhance the defensibility of current and future actions alone may not be enough. Rather, health care and other organizations need to prepare for the possibility that HHS or other agencies may require their organization to defend Biden-era events under the new Trump Administration interpretations and enforcement policies. In the face of these developments, all health care organizations receiving funding from HHS should review their current and past policies and actions implicating federally civil rights laws to assess and manage their potential past exposures and mitigate future risks. 

Because the process of reviewing and revising their policies and practices inevitably will require medicine and other HHS-funded institutions to identify and engage in legally and politically sensitive discussions of past and current policies, events, and actions affecting the competing interests of individuals or organizations whose opportunities are either helped or hurt by the Trump Administration’s transition to a merit-based interpretation of civil rights laws as well as potential whistleblower and retaliation exposures, academic medicine and other HHS-funded organizations generally should work with within the scope of attorney-client privilege with legal counsel experienced with these and other civil rights laws and dealing with OCR and other agencies in relation to investigations and enforcement actions under these rules.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising, representing, and defending health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, public and private employers, government contractors and grant recipients, educational organizations, child care facilities, employers, technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about Civil Rights Laws and other religious, civil rights and other discrimination, HIPAA and other privacy and data security, False Claims Act and other billing and reimbursement, quality, technology, licensing and accreditation, whistleblower and other workforce, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care, health insurance and managed care, insurance and financial services, defense contractors, and other workforce and data sensitive businesses domestically and internationally on employment, benefits, data and other knowledge use and protection, Federal Sentencing Guidelines and other workforce and heath care management, internal and operational controls, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has had extensive involvement in Civil Rights Laws, Section 1557 and other discrimination compliance, training, risk management and defense.

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

Author of many highly regarded compliance, training and other resources on cybercrime and other data privacy and security, health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy in these matters.  

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources including the following recent publications about related emerging developments:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Leave a Comment » | Academic medicine, Child Care, Childcare, Civil Rights, Conditions of Participation, Cultural diversity, dei, Direct Primary Care, Disability Discrimination, Discrimination, early childhood education, Education, Employee Benefits, Employer, Employment, Federal Health Center, Government contractor, Grant recipients, Grants, Health Care, Health Care, Health Care Finance, Health Care Provider, Health Insurance, Health Insurance Exchange, Health Plan, Health Plans, healthcare, Heath Care Exchange, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Medicaid, Medicaid Advantage, Medical Licensure, Medicare, Medicare Advantage, Medicare Advantage, OCR, OCR, Patients, Pharmaceudical, Reproductive Rights, Rural Health Care, Section 1557, University, Veterans Health | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$11 Million False Claims Act Cybersecurity Settlement Reminds Health Plas HIPAA Isn’t Only Cyberbreach Exposure

March 17, 2025

The more than $11 million Health Net Federal Services Inc. (“HNFS”) and its corporate parent Centene Corporation, have agreed to pay under a settlement resolving claims that HNFS falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense (“DoD”) reminds health industry organizations that Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is only one of many federal statutes under which their organizations and their leaders can incur liability for cybersecurity breaches or other deficiencies. As the HNFS settlement makes clear, for instance, HIPAA Entities and other businesses that violate conditions of participation or contractual requirements for federal program participation also risk potential significant liability for deficiency in their compliance with data security, privacy or other cybersecurity requirements of those programs.

HIPAA Important But Not Only Cyber Liability Risk For Health Industry Organizations

Most health care providers, health insurers and other health plans, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively, “HIPAA Entities”) recognize the importance of complying with the national standards for the protection of individuals’ electronic protected health information (“ePHI”) set forth in HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA” Rules”) to minimize or avoid painful civil monetary penalties or even criminal liability HIPAA authorizes for violations of HIPAA.

While the lengthy and growing list of HIPAA civil monetary penalties and resolution agreements obtained by the Department of Health and Human Services (“HHS”) Office of Civil Rights found to have violated the Security or other requirements of the HIPAA Rule shows the continued importance for HIPAA Entities to maintain HIPAA compliance, enforcement actions like the HNFS drive home that HIPAA Entities should not ignore other important cybersecurity obligations arising from the cybersecurity requirements created under terms of participation applicable to federal programs, or other applicable laws or statutes.

HNFS False Claims Act Cyber Liability Settlement

The HNFS enforcement action and settlement reveals False Claims Act liability as another significant cyber liability risk for health care providers, health care exchange insurers, Medicare Advantage, Medicaid Advantage, SCHIP, TRICARE and other military health, health technology, and other health industry organizations and their business associates and other subcontractors, who are government contractors or grant recipients.

The Justice Department previously has warned federal contractors that failing to fulfill or falsely certifying their compliance with required cybersecurity standards applicable to their contracts or programs could expose them to civil liability for violation of the False Claims Act[1] (“FCA”).  On October 6, 2021, then Deputy Attorney General Lisa O. Monaco announced a Civil Cyber-Fraud Initiative would use the FAC to hold accountable government contractors and grant recipients that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches applicable to their federal contracts or programs.

To violate the FCA, the government contractor or other accused person must have submitted, or caused the submission of, the false claim or made a false statement or record with knowledge of the falsity.  Under Section 3729(b)(1), knowledge of false information is defined as being (1) actual knowledge, (2) deliberate ignorance of the truth or falsity of the information, or (3) reckless disregard of the truth or falsity of the information.

The Department of Justice obtained more than $2.9 billion in settlements and judgments from civil cases involving fraud and false claims against the government in the fiscal year ending Sept. 30, 2024.   Under the FCA, government contractors or other persons violating the FCA generally are liable to pay the United States three times the government’s damages plus a penalty that is linked to inflation for knowingly submitting or causing another to submit a false claim to the government; making a false record or statement to get a false claim paid by the government; acting improperly to avoid having to pay money to the government; or conspiring to violate the FCA.  In addition to allowing the United States to pursue FCA violations on its own, the FCA allows private citizens to file “qui tam” suits on behalf of the government against violators of the FCA.  Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. Many Justice Department FCA and other fraud  investigations and lawsuits arise from such qui tam actions.

While the Justice Department’s announcement of the HNFS settlement did not expressly reference the Civil Cyber-Fraud Initiative, the action and statements made by Justice Department officials in connection with its announcement reflect that the Justice Department remains committed to using the False Claims Act to hold federal government health care and other contractors, subcontractors, and grant recipients accountable for failing to comply with applicable federal cybersecurity requirements.

Beginning in 2010, HNFS contracted with the DOD to provide managed healthcare support services for the TRICARE program in approximately 22 states. The support services included administrative support services, provider network development, referral management, enrollment support, and claims processing services. In 2016, Centene succeeded to these contractual obligations when it acquired all of the shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS. Consistent with applicable conditions for participation in the program, HNFS’s contract with the DOD required HNFS to comply with DOD data security and privacy requirements and to periodically certify that compliance.

The TRICARE contract required HNFS to “provide information management and information technology support as needed to accomplish the stated functional and operational requirements of the TRICARE program” and to adhere to certain privacy standards and cybersecurity requirements, including but not limited to 48 C.F.R. § 252.204-7012 and 51 security controls listed in the National Institute of
Standards and Technology Special Publication 800-53 (NIST 800-53), Security and Privacy Controls for Information Systems, Revision 4. The annual certification requirement included in the contract also required HNFS annually to certify both compliance with the standards and “that the security controls required by the contract are implemented correctly, operating as intended, and support the security policies of the Defense Health Agency.”

The settlement resolves DOD and Justice Department allegations that, between 2015 and 2018, HNFS failed to provide the cybersecurity controls required under its contract. Specifically, Justice Department charged that:

  • HNFS failed to timely scan for known vulnerabilities and remedy security flaws on its networks and systems, in accordance with its System Security Plan and response times established by HNFS;
  • HNFS ignored reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’ networks and systems related to asset management; access controls; configuration settings; firewalls; end-of-life hardware and software in use; patch management (i.e., installing critical security updates released by vendors to counter known threats); vulnerability scanning; and password policies; and
  • HNFS falsely attested to DHA that it was in compliance with at least seven of the NIST 800-53 security controls listed in the NIST Compliance Certifications when it submitted those certifications to DHA

The Justice Department and DOD also charged HNFS with falsely certifying compliance with these controls in annual reports to DHA that were required under its contract to administer the TRICARE program.

As a result of these deficiencies, the Justice Department and Department of Defense claimed that HNFS’ claims for reimbursement under the Tricare contract were false, regardless of whether there was any exfiltration or loss of servicemember data or protected health information.

To resolve the alleged False Claims Act liability asserted by the government, HNFS and Centene Corporation agreed to pay $11,253,400 to the Department of Justice. The settlement agreement also expressly reserves the United States’ right to pursue any criminal charges arising from the conduct and limits HNFS and Centene from raising the settlement as a bar to any such criminal charges.

Statements made by Justice Department officials in its announcement of the HNFS settlement signal that the Justice Department remains committed to using the False Claims Act to hold government contractors and other recipients of federal funds accountable for failing to comply with cybersecurity requirements of their contracts.

The press release announcing the settlement quotes Acting Assistant Attorney General Brett A. Shumate, head of the Justice Department’s Civil Division as warning, “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”

Meanwhile, Cyber Field Office Special Agent in Charge Kenneth DeChellis of the Defense Criminal Investigative Service (DCIS), the law enforcement arm of the DoD Office of Inspector General also is quoted as stating, “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.”

Taken together with the HNFS enforcement action and resulting settlement, these statements provide a strong warning for health industry and other government contractors that their failure to comply with cybersecurity requirements in their federal contracts or grants could lead to prosecution under the False Claims Act in addition to otherwise applicable liabilities arising under HIPAA or other federal or state laws. Accordingly, health care organizations; Medicare, Medicaid, SCHIP, TRICARE and Federal Health Insurance Exchange program contractors; and other federal government contractors, subcontractors and grant recipients also should ensure their ability to defend their ongoing compliance with any data security, privacy or other federal cybersecurity requirements to guard against potential False Claims Act liability for noncompliance with these contractual responsibilities.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, and their technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about HIPAA and other protected health information, trade secret, personal information and other cybersecurity and other data and systems use, protection, andthese and other federal and state program design, contracting, quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care, health insurance and managed care, insurance and financial services, defense contractors, and other workforce and data sensitive businesses domestically and internationally on employment, benefits, data and other knowledge use and protection, Federal Sentencing Guidelines and other workforce and heath care management, internal and operational controls, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has had extensive involvement in the design, enforcement, investigation, mitigation and defense of trade secret and other information privacy and confidentiality, HRIS, claims, electronic medical records, payment, and other systems and technologies; HIPAA and other health industry, DOD,  FACTA, GLB, EU, and other data privacy and security, trade secret and other confidential information; and other information privacy and security laws, policies, practices, contracts and requirements. 

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

Author of many highly regarded compliance, training and other resources on cybercrime and other data privacy and security, health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy in these matters.  

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

[1]31 U.S.C. §§ 3729 – 3733.

Leave a Comment » | CHIP, Cyber crime, data breach, data security, Department of Defense, DOD, false claims act, Government contractor, Grant recipients, Health Care, Heath Care Exchange, HHS, HIPAA Cyber Crime, Medicaid Advantage, Medicare Advantage, TRICARE | Tagged: , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer