What Healthcare Companies Need to Know About AG and Congressional Investigations in 2026

Healthcare companies and private equity-backed platforms are squarely in the sights of Congress, state attorneys general, and sector-specific regulators in 2026. Enforcement is being driven by concerns about affordability, consolidation, data security, quality of care, and the role of private equity in clinical settings. Many healthcare organizations will see a civil investigative demand (CID) or subpoena from the Texas Attorney General or New York Attorney General or an inquiry from a legislative committee in the coming year.

This guide is aimed at healthcare providers, payors, digital health and health IT companies, and PE-owned platforms that receive, or are worried about receiving, a CID or government subpoena. It also highlights how recent developments in California, Texas, and New York increase the stakes.

Why Healthcare is in the Crosshairs

The federal administration, governors, Congressional committees, and state attorneys general have signaled that healthcare will remain a front-line target for oversight, regardless of which party is in control. There is sustained interest in topics such as healthcare pricing, pharmacy benefit management, Affordable Care Act subsidies, and the use of artificial intelligence in care delivery and reimbursement.

In parallel, there is particular interest in hospital consolidation and the role of private equity and other financial sponsors in physician groups, hospitals, nursing homes, and health tech and device companies. Congressional and state legislative staff are scrutinizing how ownership structures affect patient outcomes, staffing, service line changes, and overall cost of care. These lines of inquiry often overlap with state AG and federal agency priorities.

California’s New Laws on Private Equity in Healthcare

California has adopted some of the most aggressive state-level measures to police private equity and hedge fund participation in healthcare, effective January 1, 2026. Two new statutes, Assembly Bill 1415 (AB 1415) and Senate Bill 351 (SB 351), significantly expand transaction oversight and tighten corporate practice of medicine rules for financial sponsors.

AB 1415 broadens the jurisdiction of the California Office of Health Care Affordability (OHCA) to require notice for a wider range of healthcare transactions, explicitly capturing private equity groups, hedge funds, MSOs, and new entities formed to transact with healthcare providers. SB 351 reinforces California’s prohibition on lay control of physician and dental practices, targets non‑clinical control over clinical decision-making, and restricts common contractual tools such as certain non‑compete and disparagement provisions in PE‑backed practice arrangements.

These California developments both reflect and reinforce a broader national trend of heightened scrutiny of PE healthcare investment, including enhanced AG review authority in multiple states and proposals to require pre-closing notice or approval for sponsor-backed healthcare deals.

Texas: CIDs, Medicaid Fraud, and Data Breach Enforcement

Texas has been very public about its focus on healthcare enforcement, particularly in Medicaid fraud and data security involving protected health information. The Texas Attorney General’s Healthcare Program Enforcement Division has launched investigations into dozens of Medicaid providers, including home health and occupational therapy providers and entities suspected of Covid 19-related fraud, often leveraging newly available federal HHS claims data combined with internal data and CIDs.

The Texas AG’s office reports recovering over one billion dollars in Medicaid fraud since 2020 and actively uses CIDs as a core investigative tool in anticipation of litigation. The office has also issued CIDs in the context of large health data breaches, such as an investigation into Blue Cross Blue Shield of Texas and Conduent following a breach that exposed the protected health information of approximately four million Texans.

The Texas Supreme Court recently addressed the state AG’s CID authority in a case under the Deceptive Trade Practices Act, clarifying the standards for challenging CIDs and underscoring the breadth of the AG’s investigatory powers. While the details are case-specific, the decision reinforces that recipients face an uphill battle if they wait to raise objections or lack a robust record supporting their challenges.

New York: Data Security, Mental Health, and Medicaid Enforcement

New York’s Attorney General has likewise maintained an active healthcare enforcement docket, with a strong focus on data security, Medicaid-related issues, and access to behavioral health services. The office’s Health Care Bureau’s Health Care Helpline handled nearly 4,900 complaints in 2025 and uses complaint patterns to identify systemic problems that can trigger broader investigations and enforcement actions.

Recent New York settlements underscore how investigations can lead to sweeping injunctive relief and ongoing monitoring obligations. For example, the AG reached significant agreements requiring EmblemHealth to pay monetary relief and overhaul its mental health provider network after finding “ghost networks,” and mandating NewYork-Presbyterian Hospital to implement major reforms to its emergency and psychiatric care practices. These cases illustrate how New York pairs financial penalties with long-term oversight designed to change business practices in core healthcare operations.

At the same time, New York has tightened its data breach notification regime in ways that directly affect entities handling medical and health insurance information, including many that are not HIPAA-covered. Amendments effective in 2025 add a 30-day outer deadline for notifying affected residents of a reportable breach, expand “private information” to include medical and health insurance data, and require notice to the AG and other regulators, with additional obligations for entities regulated by the Department of Financial Services. Healthcare and life sciences companies operating in New York therefore face parallel enforcement risk from both traditional health‑law violations and cybersecurity or privacy lapses.

What Exactly Is a Civil Investigative Demand?

A civil investigative demand is a powerful pre-litigation tool that allows enforcement authorities to compel documents, written responses, and testimony before filing a complaint. In Texas, for example, the AG may issue CIDs under the Deceptive Trade Practices Act and other statutes to investigate potential violations, and courts have recognized wide latitude so long as the demand is within statutory authority and not unduly burdensome. Many state AGs, including Texas and New York, use CIDs in healthcare matters ranging from Medicaid fraud and deceptive practices to data breaches and network adequacy issues.

CIDs often seek broad categories of information, including claims and billing data, internal communications, quality metrics, contracts, and communications with payors or investors, and they typically include aggressive response timelines. That structure can create significant operational disruption for providers and PE-backed platforms that are not prepared.

“I Received a Civil Investigative Demand. What Do I Do?”

If your organization receives a CID or subpoena from the Texas or New York AG, or from a congressional or state legislative committee, there are a handful of immediate steps that should happen before anyone hits “reply.”

1.      Do not ignore it, but do not respond on your own

A CID or subpoena is a compulsory legal instrument, and failing to respond can lead to court enforcement actions and sanctions. At the same time, ad hoc or informal responses, no matter how well intentioned, can lock the company into positions, waive objections, or expand the investigation unnecessarily.

2.      Immediately engage experienced investigations counsel

Counsel who regularly deal with CIDs and government subpoenas can quickly assess the scope of the demand, applicable privileges, and what the government is likely looking for in light of current enforcement priorities in Texas, New York, and at the federal level. Currently, those priorities include Medicaid and managed care fraud in Texas, healthcare pricing and access in New York, and cost, consolidation, and private equity ownership in Congress.

3.      Implement a litigation hold and preserve data

From the moment a CID or subpoena is received, the organization has a duty to preserve potentially relevant documents and data, including emails, messaging platforms, EHR systems, claims and billing files, and board materials. Destruction or alteration of relevant information can transform a regulatory inquiry into an obstruction or spoliation issue, even if inadvertently or accidentally done.

4.      Map the scope and identify key custodians

Your team and outside counsel should quickly identify what topics and time periods the demand covers, which business units and individuals are likely to have responsive material, and whether third-party vendors (e.g., billing companies, MSOs, IT providers) hold relevant data. For PE-backed platforms, this often includes both portfolio-company operations and sponsor-level communications relating to strategy, cost, and quality.

5.      Engage with the issuing agency on scope and timing

In many cases, counsel can negotiate with the AG or committee staff to narrow overly broad requests, stage productions, extend deadlines, and resolve threshold issues such as privilege, confidentiality, and personally identifiable information. Texas and New York enforcement staff are accustomed to such discussions, particularly where large datasets, PHI, or complex multi-entity structures are involved.

“The Texas or New York AG Sent Me a CID. What Should I Do Differently?”

While the fundamentals are the same, each jurisdiction brings its own dynamics.

Texas AG CIDs

Given Texas’s public emphasis on Medicaid fraud and its use of HHS claims data and CIDs to launch dozens of provider investigations, home health, OT, behavioral health, and other Medicaid-billing entities should assume that the AG already has detailed billing analytics in hand. The Blue Cross/Conduent data breach CIDs show that entities handling PHI, including insurers and vendors, are also exposed to CID-driven data security investigations in Texas.

Texas’s high-profile enforcement posture, coupled with the Texas Supreme Court’s recent confirmation of broad CID authority, means recipients should focus on strategic negotiation and careful, accurate responses rather than reflexively moving to quash. At the same time, Texas courts will look closely at overbreadth and burden if a challenge is warranted, so contemporaneous documentation of the effort and difficulty involved in compliance can be critical.

New York AG CIDs and Subpoenas

New York’s active healthcare and Medicaid enforcement, combined with its expanding data-breach framework, means CIDs and subpoenas often touch both traditional health law theories and consumer protection or cybersecurity theories in a single investigation. For example, investigations into “ghost networks” and mental health parity have resulted in settlements requiring insurers to pay monetary relief, update network directories, and submit to independent monitoring and reporting obligations.

New York’s amended data breach laws create additional pressure around timing and content of breach-related disclosures, which can feed into AG investigations if the office believes notification was untimely or incomplete. For entities operating in multiple states, coordinating New York’s requirements with HIPAA and other state laws is essential to avoid inconsistent positions before different regulators.

“How Should We Respond to the CID?”

Beyond triage, effective CID responses in the healthcare context usually share several features:

• Careful privilege and confidentiality strategy. Work product, attorney-client communications, quality assurance materials, peer-review information, and internal compliance assessments must be carefully screened and logged; in some jurisdictions, special protections may apply to peer-review and QA materials.

• Data-driven narrative. Given that regulators increasingly rely on claims data, pricing information, and algorithmic outputs, it is important to understand what the government’s data likely show and be prepared to explain anomalies, outliers, or trends with operational context, especially where private equity ownership and cost or staffing changes are in play.

• Alignment with broader regulatory themes. For Congress and for AGs in states like California, Texas, and New York, hot-button issues include patient access, quality metrics, behavioral health parity, data security, and the influence of non-clinical ownership. Responses that show proactive compliance, remediation where appropriate, and a credible governance framework tend to fare better than barebones document dumps.

“How Do We Respond to a Government Subpoena from a Regulator or Congress?”

Many of the same principles apply to subpoenas from agencies or congressional and legislative committees:

• Understand the issuer and potential exposure. A subpoena from a congressional or legislative committee may be purely investigative and aimed at public hearings, while subpoenas from state AGs or agencies like state health departments or insurance regulators may indicate enforcement or licensing actions.

• Coordinate with parallel proceedings. Particularly in healthcare, a single set of facts can draw interest from multiple actors—state AGs, federal agencies, congressional committees, and private plaintiffs—which makes message discipline and document consistency critical.

• Plan for public and stakeholder communication. High-profile health investigations (whether involving data breaches, mental health access, or alleged billing misconduct) often generate media, investor, and patient communications issues that should be handled in lockstep with the legal strategy.

Special Considerations for Private Equity-Backed Healthcare Platforms

For private equity sponsors and portfolio companies, recent California legislation, AG practices, and congressional rhetoric mean traditional “clinical independence” talking points may no longer be sufficient. California’s AB 1415 and SB 351, for instance, are explicitly concerned with non-clinical entities influencing healthcare delivery, and they expand both transaction review and enforcement hooks. At the federal and multi-state level, policy papers and enforcement updates routinely single out private equity’s role in healthcare as a distinct focus area.

In a CID or subpoena context, that translates into heavier emphasis on:

• Board- and sponsor-level decision-making around staffing, service lines, and pricing;

• the extent to which clinical protocols are insulated from financial pressures; and

• whether integration, consolidation, or roll-up strategies have negatively affected competition or patient access.

Preparing Before the CID Arrives

In this environment, healthcare organizations and sponsors should treat readiness for CIDs and subpoenas as part of their core risk management program, not an afterthought.

Practical steps include:

• Mapping your regulator and AG exposure by state and service line, with particular attention to Texas, New York, and California if you have operations, members, patients, or data in those jurisdictions.

• Aligning transaction structures and governance with California’s new private equity healthcare laws if you have or are planning investments in physician or dental practices in that state.

• Stress-testing your data security and breach response plans against New York’s revised, stricter notification deadlines and expanded definition of “private information,” as well as Texas’s aggressive approach to PHI breaches.

• Refreshing compliance programs around Medicaid billing, behavioral health parity, mental health access, and network adequacy, areas that have featured in recent enforcement actions and settlements in both Texas and New York.

• Developing a playbook for “what to do when receiving a CID or subpoena,” including internal communication protocols, a litigation-hold template, and pre-identified outside counsel and forensic support.

How We Can Help

Our team regularly advises healthcare providers, digital health companies, and private equity sponsors on responding to CIDs and subpoenas from state AGs, congressional committees, and regulators, with specific federal, New York, and Texas experience. We help clients:

• triage and negotiate the scope and timing of CIDs and subpoenas;

• manage complex, PHI-heavy document collections and productions;

• craft data-driven narratives that speak to current enforcement and legislative priorities; and

• design and implement remediation and compliance enhancements that can mitigate enforcement risk.

If you have received a CID or subpoena or see warning signs that one may be coming, please reach out to discuss how we can help protect your organization and position you strategically in this evolving landscape.