The real cost of compliance breakdowns
In June 2025, the Department of Justice announced the largest coordinated healthcare fraud takedown in U.S. history. The numbers were staggering: 324 individuals were charged and more than $14.6B in alleged fraud, more than doubling the prior record of $6 billion.
These schemes spanned everything from telemedicine to durable medical equipment (DME), genetic testing, addiction treatment, and even prescription opioid trafficking.
"These fraudsters lined their pockets by exploiting telemedicine technology, call centers, and telemarketing schemes – at the expense of patients and taxpayers," the DOJ said in its press release.
These aren't isolated incidents. They reflect systemic oversight, governance and culture issues – especially in organizations operating outside of large hospital systems. And they serve as a warning: compliance failures aren't only an internal risk. They're headline-making liabilities.
The vulnerable middle: where risk hides in plain sight
Fraud isn't just a problem for major health systems. Organizations in hospice, outpatient rehab, DME, telehealth and pharmacy services are increasingly under the microscope – and often, these are the entities least equipped to manage today's complex risk landscape.
"Smaller or distributed healthcare organizations struggle to apply consistent compliance oversight – and that's where risk takes root," says Clivetty Martinez, Director of Compliance and Privacy Services at Granite GRC.
These organizations can easily overlook the guardrails that larger systems have the scale to implement, whether due to lean teams, rapid growth or decentralized models. That makes them more vulnerable to fraud – and more likely to be blindsided when scrutiny arrives.
Policy isn't enough – culture counts
Policy is foundational, but it doesn't guarantee protection. Culture determines whether policies are followed, challenged or ignored.
In many of the cases cited, compliance failures stemmed from aggressive billing practices, misaligned incentives, and failure to respond to red flags. Weak internal reporting systems and fear of retaliation often prevent issues from surfacing in time.
Recent NAVEX whistleblowing data shows that underreporting remains a challenge even when employees have reporting mechanisms, especially in decentralized or lower-resourced environments.
Prevention starts with the right questions
Organizations that avoid the DOJ's radar aren't "getting lucky." They're intentional. And they're asking the right questions:
- When was our last compliance risk assessment?
- Do we have visibility into billing practices across locations or service lines?
- Are staff empowered and trained to report misconduct?
- Are we prepared to identify and respond to red flags before they escalate?
"The organizations that avoid headlines aren't lucky – they're prepared," says Jeffrey B. Miller, Esq., Director-in-Charge at Granite GRC. "They've invested in the people, systems and culture to get ahead of risk – not react to it."
From crisis to culture: getting ahead of the next big story
While these enforcement actions make headlines, they also offer an opportunity to reset. For healthcare organizations – particularly those beyond traditional hospital settings – the message is clear: building a culture of ethics and accountability is both a compliance imperative and a business strategy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
