DOJ Signals New FCA Targets: Cyber, AI, and Private Equity Risk

NEW YORK, NY – December 12, 2025 – As corporations map out their strategic plans for 2026, the Department of Justice is sending clear signals about the future of corporate liability, and the message is one of expanding risk. The upcoming 13th Annual Advanced Forum on False Claims and Qui Tam Enforcement, hosted by the American Conference Institute (ACI) in January, is shaping up to be more than just a legal conference; it's a bellwether for the DOJ's increasingly aggressive and sophisticated enforcement posture.

The roster of speakers and co-chairs—featuring a formidable lineup of current and former DOJ heavyweights like Deputy Assistant Attorney General Brenna Jenny and former U.S. Attorney Zachary Cunha—indicates a serious, high-level focus on corporate accountability. The topics on the agenda are a strategic roadmap to the government's priorities, pointing toward a future where digital risk, private equity ownership, and inter-agency cooperation create a complex new minefield for businesses.

A Coordinated Crackdown on Corporate Fraud

The False Claims Act (FCA) has long been the government's primary tool for combating fraud, and its use is intensifying. With the DOJ recovering over $2.9 billion in FCA settlements and judgments in fiscal year 2024, the financial stakes for non-compliance are astronomical. What's changing is the methodology of enforcement. The ACI forum's focus on tandem operations between the DOJ's Civil and Criminal Divisions, as well as joint efforts with agencies like the Department of Health and Human Services (HHS), points to a more holistic and formidable enforcement apparatus.

This coordinated approach is designed to close loopholes and apply pressure from multiple angles. For businesses, this means an alleged instance of fraud is less likely to be siloed within a single regulatory investigation. Instead, it could trigger parallel civil and criminal inquiries, dramatically increasing legal costs, reputational damage, and potential penalties. Healthcare, which accounted for over $1.67 billion of 2024's recoveries, remains ground zero for this strategy. The renewed focus on Medicare Advantage fraud, where risk scores can be inflated through unsupported diagnoses, is a prime example. Federal agencies are now leveraging advanced data analytics and AI to detect suspicious billing patterns, turning a company's own digital records into a source of prosecutorial evidence.

Digital Risk Becomes Financial Liability: The Cyber-Fraud Initiative

A pivotal shift for any company doing business with the U.S. government is the transformation of cybersecurity compliance from an IT issue into a direct source of FCA liability. The DOJ's Civil Cyber-Fraud Initiative, launched in late 2021, is now bearing significant fruit. This initiative uses the FCA to pursue government contractors and grant recipients who knowingly misrepresent their cybersecurity posture or fail to monitor and report breaches.

Recent settlements in 2025, some exceeding $50 million, have demonstrated this is not a theoretical threat. Cases have targeted defense contractors and healthcare entities for falsely certifying compliance with federal cybersecurity standards. With the Department of Defense's new Cybersecurity Maturity Model Certification (CMMC) requirements taking full effect, the attack surface for FCA liability is set to expand exponentially. Every invoice submitted to the government can now be interpreted as an implicit certification of cybersecurity compliance, meaning a failure to meet standards like those in CMMC could render every payment request a "false claim."

This trend demands a radical rethinking of digital risk within the C-suite and the general counsel's office. Cybersecurity is no longer just about preventing attacks; it's about meticulous documentation, transparent reporting, and ensuring that digital transformation initiatives do not outpace the organization's ability to maintain and prove its compliance.

Private Equity's Shield Is Cracking

For years, private equity firms have often operated with a degree of separation from the day-to-day compliance failures of their portfolio companies. That shield is rapidly deteriorating. Regulators are now intensifying their scrutiny of PE ownership, particularly in highly regulated sectors like healthcare and defense. The ACI forum's decision to dedicate a session to the FCA's impact on private equity investors and their consultants is a direct response to this trend.

Federal enforcement actions have begun to name PE firms in settlements alongside their portfolio companies, signaling a willingness to establish direct wrongdoing by sponsors who are involved in administering government contracts or who turn a blind eye to misconduct. State laws are amplifying this pressure. A new Massachusetts law, for example, explicitly extends FCA liability to PE investors in healthcare who fail to disclose known misconduct. The strategic implication is clear: the "passive investor" defense is wearing thin. Pre-acquisition due diligence must now include a forensic-level review of a target's FCA compliance history and culture. Post-acquisition, hands-off oversight is a dangerous gamble, as PE firms may be held responsible for failing to correct compliance deficiencies they knew or should have known about.

The Unwavering Influence of the Whistleblower

Underpinning all these trends is the enduring power of the qui tam, or whistleblower, lawsuit. In fiscal year 2024, a record 979 qui tam suits were filed, and these actions were responsible for over 83% of the total recoveries. The government's enforcement strategy is heavily dependent on insiders who report fraud.

The inclusion of Hamsa Mahendranathan, a prominent partner at a whistleblower-focused law firm, as a conference co-chair underscores the central role that relators' counsel plays in the FCA ecosystem. While the constitutionality of the FCA's qui tam provisions faces legal challenges, the DOJ continues to vigorously defend them, and for businesses, the immediate reality is that the primary risk of an FCA investigation comes from an internal source. This makes robust internal compliance programs, ethics reporting hotlines, and a non-retaliatory "speak-up" culture not just best practices, but essential strategic defenses. Identifying and addressing potential misconduct internally is the only reliable way to mitigate the immense financial and reputational risk of a whistleblower action that brings the full, coordinated weight of the federal government to the door.