This month’s compliance landscape features a major federal fraud enforcement action, a state-level government audit revealing critical data privacy failures, multi-state provider license revocations, and a reminder of the New Jersey Board of Pharmacy’s robust oversight and disciplinary authority. These developments reinforce the need for proactive compliance programs that are thoroughly documented, regularly tested, and responsive to both federal and state enforcement priorities. Below, we summarize key developments and provide insights to help you navigate your compliance responsibilities in 2026.
Federal Update
DOJ Charges Two Men in $120M Medicare and Medicaid Fraud Scheme
Agency: U.S. Department of Justice (DOJ)/HHS Office of Inspector General (HHS-OIG)
Charged: February 9, 2026
A federal complaint unsealed in Brooklyn charged Inwoo Kim, 42, and Daniel Lee, 56, both of Flushing, Queens, with conspiracy to commit health care fraud. According to the complaint, the defendants operated a pharmacy and two social adult day care centers — Royal Adult Daycare and Happy Life — and from 2016 through 2026 paid illegal cash kickbacks and supermarket gift certificates to Medicare beneficiaries and Medicaid recipients to induce them to fill prescriptions and enroll in their day care facilities.
In total, Medicare and Medicaid paid approximately $120 million for prescription drugs and adult day care services that were medically unnecessary, never provided, or induced through kickbacks and bribes. At times, the defendants submitted claims that exceeded the center’s permitted capacity. Law enforcement executed multiple search warrants and seized bank accounts in connection with the arrests. If convicted, each defendant faces up to 10 years in prison. The case was investigated jointly by HHS-OIG, the FBI, IRS Criminal Investigation, and the New York State Office of the State Comptroller.
Why this matters:
This case underscores that federal enforcement of anti-kickback and billing fraud statutes remains aggressive and multi-agency in scope. Community-based healthcare providers, pharmacies, and adult day care operators face heightened scrutiny — particularly when patterns of claims for services not rendered, capacity overages, or patient inducements are detected.
Actionable Reminders
- Review all patient recruitment and referral practices for compliance with the Anti-Kickback Statute and Stark Law
- Ensure claim submissions are supported by documentation of services actually rendered and medically necessary
- Train staff to identify and report potential inducement arrangements or billing irregularities.
- Conduct periodic internal audits of billing patterns, particularly for high-volume claim categories
State Enforcement
Utah DHHS Audit Reveals Critical Privacy and Security Weaknesses
Jurisdiction: Utah — Office of the Utah State Auditor
Published: February 11, 2026
A privacy audit initiated by the Utah Office of the State Auditor — prompted by a whistleblower complaint — identified critical security weaknesses within the Utah Department of Health and Human Services (DHHS), placing the sensitive personal data of more than 2 million Utahns, including children and psychiatric patients, at significant risk.
The audit focused on two key data repositories: SAFE, the Comprehensive Child Welfare Information System used by the Division of Child and Family Services, which contains over 6 million records relating to more than 2 million individuals; and eChart, the Utah State Hospital’s central repository of records for over 10,500 patients with mental health needs. Auditors found systemic issues in access control management, record dissemination handling, and monitoring practices across both systems. Notably, over 2,000 state employees had broad, largely unfettered access to these sensitive databases, with no automated or proactive mechanisms to detect or prevent inappropriate access. DHHS staff were found to have low awareness of privacy policies and generally did not know how to report violations.
Compliance Insights:
This audit serves as a significant reminder that internal access controls, employee privacy awareness, and incident response procedures are not optional — they are foundational safeguards required under both state and federal frameworks. The findings also highlight the risk of under-reporting privacy incidents when monitoring mechanisms are inadequate.
Key takeaways:
- Conduct periodic reviews of who has access to sensitive data systems and apply least-privilege principles
- Implement automated monitoring and alerting for unusual access patterns or potential policy violations
- Train all workforce members on privacy policies and establish a clear, centralized mechanism for reporting incidents
- Develop and regularly test incident response procedures to ensure readiness and accurate reporting
- Document all corrective actions taken in response to audit findings.
Washington State DOH Continues Provider License Enforcement
Jurisdiction: Washington State Department of Health
Release Date: February 24, 2026
The Washington State Department of Health issued its latest round of license revocations and suspensions for healthcare providers across multiple disciplines. Among the actions taken in February 2026, the Department and Elena T. Nguyen entered an agreed order suspending her certified and registered nursing assistant credentials for at least two years following a 2023 incident in which she provided and used controlled substances and nicotine with a minor patient. In a separate action, the Department indefinitely suspended Kyon J. Saucier’s home care aide credential following a December 2023 incident involving inappropriate physical force toward children and inappropriate comments to students.
These disciplinary actions are consistent with Washington DOH’s ongoing enforcement of patient safety and professional conduct standards across more than 80 licensed healthcare professions. The Department also cross-references disciplinary actions from other states, immediately suspending Washington credentials of providers prohibited from practicing elsewhere.
Compliance Insights:
Regular credential verification and primary source monitoring are critical tools for healthcare organizations. License suspension or revocation in one state can signal disqualifying conduct that should trigger action in any jurisdiction where a provider is credentialed or employed.
Key takeaways:
- Ensure continuous primary source verification of provider credentials — not just at onboarding, but throughout the employment relationship
- Maintain processes to cross-check providers against state and federal exclusion and disciplinary databases
- Include patient safety conduct standards in provider agreements and performance review processes
New Jersey Board of Pharmacy: Disciplinary Oversight and Compliance Expectations
Jurisdiction: New Jersey Division of Consumer Affairs, Board of Pharmacy
The New Jersey Board of Pharmacy — the oldest professional licensing board in New Jersey, established in 1877 — continues to investigate and discipline pharmacists and pharmacy staff who fail to comply with applicable laws and regulations. The Board’s mandate includes enforcing continuing professional education requirements, ensuring proper pharmacy registration, and protecting the public from dispensing errors or unprofessional conduct.
The Board actively investigates complaints, requires detailed written responses from licensees, and may pursue disciplinary hearings where warranted. Pharmacies operating in New Jersey must maintain compliance with state law governing controlled dangerous substances, prescription recordkeeping, staffing, and inspection readiness. The Board also oversees the New Jersey Prescription Monitoring Program (NJPMP), with civil penalties of up to $10,000 for unauthorized NJPMP data disclosure.
Compliance Insights:
Pharmacy compliance programs must encompass not just dispensing accuracy, but also licensing, continuing education tracking, controlled substance recordkeeping, and data privacy obligations tied to state monitoring programs. Multi-state pharmacy operators face layered regulatory obligations that require proactive tracking.
Key takeaways:
- Maintain current pharmacy and pharmacist licensure and ensure continuing education requirements are met and documented
- Review controlled substance handling, recordkeeping, and disposal policies for compliance with New Jersey law
- Train staff on proper NJPMP access protocols and the restrictions on data disclosure.
- Establish a complaint response process to ensure timely, thorough responses to any Board inquiries or charges
Conclusion: Strengthening Compliance in 2026
February’s developments underscore several compliance imperatives for healthcare organizations: fraud enforcement targeting community-based providers and pharmacies demonstrates that kickback-driven billing schemes — however long-running — will be uncovered and prosecuted aggressively; state-level audits continue to expose fundamental gaps in access control and privacy incident response that carry serious reputational and regulatory consequences; and ongoing provider credential monitoring remains essential for patient safety and organizational risk management.
Verisys is committed to helping compliance professionals make informed decisions with real-time provider data, risk insights, and tools that support documentation, verification, and monitoring across provider networks — strengthening your readiness in an evolving regulatory landscape.
References:
https://www.njconsumeraffairs.gov/phar
https://www.hipaajournal.com/utah-department-health-human-services-audit-security-weaknesses/
