After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on September 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement (DFARS) (the Final Rule), which was formally published a day later on September 10, 2025. The Final Rule’s requirements will become effective in the DFARS as of November 10, 2025, and pertain to all DoD contractors and subcontractors.  Defense contractors should ensure their compliance with the standards as soon as possible in order to maintain eligibility to compete for DoD contracts and perform DoD subcontracts, as well as to avoid bid protests and/or civil False Claims Act allegations.

In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action.  Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data broker practices.  Notwithstanding these efforts, California has retained its reputation as the most formidable state enforcer of privacy law protections—until now, at least.  As we explain, recent enforcement actions by the Attorneys General of Connecticut and Nebraska highlight an important shift: states beyond California are not only enacting laws aimed at safeguarding privacy, they are taking action to demonstrate that those laws have teeth.

On July 11, 2025, in United States v. Schena, the U.S. Court of Appeals for the Ninth Circuit issued the first appellate decision interpreting the Eliminating Kickbacks in Recovery Act (“EKRA”). The decision marks a significant development in EKRA’s enforcement, as it represents the first time a federal appeals court has addressed EKRA’s reach and moved toward some clarity in its application to marketing arrangements within the healthcare industry, particularly in the often-discussed lab context.

On April 14th, 2025, the U.S. Court of Appeals for the Seventh Circuit reversed the Anti-Kickback Statute (AKS) conviction of Mark Sorensen, the owner and operator of a Medicare-registered durable medical equipment distributor in United States v. Sorensen, 134 F.4th 493, 496 (7th Cir. 2025). The lower court had found that Sorensen’s practice of hiring advertising and marketing companies based on a percentage-based fee to sell orthopedic braces to Medicare patients violated the AKS at 42 U.S.C. § 1320a-7b(b)(2)(A). In reversing the district court, the Seventh Circuit followed the Fifth Circuit’s United States v. Marchetti, holding that the central question was whether the defendant intended to “induce ‘referrals,’ which is illegal” or whether he intended to “compensate advertisers, which is permissible.” Finding that there was no evidence of this improper intent, particularly as the marketers were not in a position to influence patients, the Seventh Circuit reversed.

On June 26, the Department of Justice announced an $18,500,000 settlement agreement with NUWAY Alliance (NUWAY), a substance use disorder treatment clinic, arising out of medical necessity and kickback allegations. The complaint, filed first in 2021 by a whistleblower and unsealed last month, alleges that NUWAY and its CEO, David Vennes, engaged in a scheme to induce Medicaid patients to participate in NUWAY’s intensive outpatient treatment.

On July 31, 2025, the U.S. Department of Justice announced a $1.75 million False Claims Act (FCA) settlement with Aero Turbine, a California-based defense contractor, and private equity firm Gallant Capital Partners. The settlement arises out of allegations that Aero Turbine failed to comply with cybersecurity requirements under a U.S. Air Force contract and provided

The global crypto-asset market cap has increased from approximately $2.3 trillion on election day, November 5, 2024, to approximately $3.9 trillion today, some eight months later. That rise in demand has been accompanied by a dramatic change in how U.S. federal regulators approach crypto-assets. During the last administration, some financial institutions felt discouraged from offering crypto-asset products and services, which this administration emphatically reversed. Today, as a result of market growth, customer demand, and a more favorable regulatory environment, many financial institutions are exploring or launching crypto-related products and services.

Amazon’s recent announcement to invest at least $20 billion in cloud computing and AI data center campuses across Pennsylvania—a record‑breaking private investment in the Commonwealth—marks a turning point in digital infrastructure build-out.  Spanning sites in Luzerne and Bucks counties, the project promises 1,250 full‑time roles and thousands more in construction, while pairing with high‑demand energy sources like a nearby nuclear plant. The rapid expansion of AI data centers poses a unique set of risks—ranging from construction hazards to power and environmental challenges— and highlights the need those involved in these large infrastructure projects to close potential insurance coverage gaps and to explore alternative risk transfer solutions.

Remote patient monitoring (“RPM”) continues to see increased growth and evolution. With that industry growth, the government has begun to examine whether certain RPM models may have fraud and abuse concerns when others will not. To that end, on June 26, 2025, the Department of Justice (“DOJ”) announced that Health Wealth Safe, Inc. (“Health Wealth Safe”) and owner, Dr. Subodh Agrawal, paid $1.29 million to settle allegations of submitting false claims to Medicare under the False Claims Act (“FCA”). Health Wealth Safe allegedly failed to refund the government for 2.5 years of claims for improperly provided RPM services in violation of the FCA’s “reverse false claims” provision. Additionally, the United States alleged that Health Wealth Safe paid physician practice groups illegal kickbacks in exchange for patient referrals, and billed Medicare for RPM services that DOJ alleged were not reimbursable.

The Federal Trade Commission was quiet in its role as the Made in USA enforcement authority during the first few months of the Trump administration. But July left little doubt that the current FTC will continue the robust activity of its predecessor. The first indication was FTC Chairman Andrew Ferguson declaring July 2025 to be “Made in the USA” month. He reiterated that the FTC is charged with enforcing laws prohibiting false or unsubstantiated Made in USA claims. He further noted the importance of protecting American consumers from improper claims so they can have confidence that buying products marketed as Made in USA truly support American businesses and workers.