While the federal False Claims Act (FCA) is the “Lincoln Law” that sets the national standard, a quiet revolution has taken place across state capitals. Today, nearly 30 states and the District of Columbia have enacted their own False Claims Acts. These state-level statutes are not just mirrors of the federal law; they are potent weapons used by State Attorneys General to recover billions in stolen taxpayer funds, primarily through the Medicaid program.
As we move through 2026, state actions have hit record-breaking levels. This post explores the mechanics of State FCAs, the critical role of whistleblowers in state actions, and the landmark cases from 2025 and 2026 that are reshaping the enforcement landscape.
The Power of the “State Qui Tam”
At the heart of state enforcement is the qui tam provision. Just like the federal version, state FCAs allow private citizens to sue on behalf of the state. If the state recovers money, the whistleblower (relator) is entitled to a percentage—usually between 15% and 30%.
Why State FCAs Matter
Many people assume that federal authorities handle all major fraud. However, state programs—especially Medicaid—are jointly funded. When a provider overbills Medicaid, they aren’t just stealing from the U.S. Treasury; they are stealing from that state’s specific budget. State FCAs allow local prosecutors to:
- Triple the Damages: Most states allow for “treble damages,” meaning a fraudster must pay back three times what they stole.
- Impose Local Penalties: States often have higher per-claim penalties than the federal government.
- Target State-Specific Issues: This includes state construction contracts, local tax fraud (in states like New York), and state-funded environmental projects.
2025–2026 Case Studies: The State Enforcement Surge
The last 18 months have seen unprecedented coordination between State Attorneys General and whistleblowers. Here are the defining cases that reflect the current state-level priorities.
California: The CVS “Medi-Cal” Settlement (2025)
In early 2025, California reached an $18.2 million settlement with CVS Pharmacy. The case, initiated by a whistleblower, alleged that CVS knowingly submitted improper reimbursement requests to Medi-Cal (California’s Medicaid program). See U.S., et al. ex rel. Zimniski v. CVS Health Corporation, no. 2:19-cv-1118 (E.D. Cal. 2025).
The Impact: This case highlighted California’s aggressive use of its state FCA to police pharmacy benefit managers (PBMs) and large retail chains. It signaled that California would not wait for federal intervention to protect its state health budget.
Texas: The $125 Million Healthcare Fraud Sweep (2025)
Texas Attorney General Ken Paxton announced in early 2026 that the state’s Medicaid Fraud Control Unit (MFCU) recovered over $125 million in 2025 alone. A significant portion of this came from a multi-state “takedown” involving fraudulent billing for genetic testing and illegal kickbacks.
- The Case: Texas played a lead role in prosecuting a scheme where marketers targeted low-income Texans at public events to collect DNA samples, which were then used to bill Medicaid for unnecessary tests via “sham” telemedicine orders.
- The Lesson: This reflected the state’s priority on “Operation Gold Rush“—a crackdown on high-tech schemes that exploit the state’s vulnerable populations.
New York: The Barn Rentals Tax Fraud (2025)
New York remains unique because its False Claims Act covers Tax Fraud—an area the federal FCA famously excludes. In late 2025, New York settled a major whistleblower case against Barn Rentals and related entities for $3.9 million.
The whistleblower alleged the company evaded state taxes through a series of shell companies and false filings. Under New York law, the whistleblower received a significant portion of the recovery, proving that “tax whistleblowing” is one of the most lucrative and effective tools for state enforcement in the country.
Pfizer & the Migraine Drug Kickbacks (2025)
In January 2025, pharmaceutical giant Pfizer agreed to pay nearly $60 million to resolve a combination of federal and state FCA allegations. See U.S. ex rel. Patricia Frattasio v. Biohaven Pharmaceutical Holding Company Ltd., No. 6:21-CV-06539 (W.D.N.Y. 2025).
- The Fraud: The company allegedly paid improper “honoraria” and travel expenses to physicians to induce them to prescribe the migraine drug Nurtec ODT.
- The State Role: While the federal government took the lead, dozens of states (including Florida, New York, and Massachusetts) recovered millions in their individual capacities because the kickbacks led to improper claims filed against their specific state Medicaid programs.
Key Differences: State vs. Federal FCA
While the statutes are similar, the “Particularity” requirement of Rule 9(b) can be even trickier at the state level.
| Feature | Federal FCA | State FCA (General) |
| Primary Target | Medicare, Defense, IRS (Separate Program) | Medicaid, State Taxes, Local Construction |
| Damages | 3x the loss | 3x the loss (plus higher state penalties) |
| Tax Fraud | Excluded | Included in NY, DC, and IL |
| Relator Share | 15% – 30% | 15% – 30% (Variable by State) |
The “Whistleblower Reward” Landscape
If you are considering a state-level action, the jurisdiction matters immensely. For example:
- California and Illinois: These states have an “Insurance Claims Fraud Prevention Act” that allows whistleblowers to sue for fraud against private insurance companies—not just the government.
- Florida and Texas: These states have very robust Medicaid-specific acts but are often more conservative regarding general “state contract” fraud.
- New York: The gold standard for tax whistleblowers.
The New Frontier: Cybersecurity as a False Claim
As we move through 2026, HHS has made one thing clear: if a healthcare provider or tech vendor takes government money but fails to follow cybersecurity standards, they are “lying” to the government. This is the core of the Civil Cyber-Fraud Initiative.
Why Cybersecurity is a Whistleblower Priority
In the past, a data breach was seen as a tragedy for the company. Now, HHS views it as a potential False Claims Act violation. If a hospital or software company certifies that they are HIPAA-compliant or meet NIST security standards to get federal funding—but they actually have “unpatched” vulnerabilities or “ghost” security protocols—they have made a false statement.
Case Examples from 2025–2026
- The “Unpatched” Lab Case (2025): Illumina paid $9.8 million to resolve a whistleblower’s allegations that it sold genomic sequencing systems to federal agencies while knowing the systems had significant cybersecurity vulnerabilities. See United States ex. rel. Lenore v. Illumina Inc., No. 1:23-cv-00372 (D.R.I. 2025).
- The Georgia Tech Settlement ($875,000, 2025): While in the research space, this case sent shockwaves through healthcare. The government settled allegations that the university failed to implement required anti-virus and system security plans while receiving federal grants. See United States ex rel. Craig v. Georgia Tech Research Corporation et al., No. 1:22-cv-02698 (N.D. Ga. 2025).
- The “Failure to Correct” Priority: In early 2026, the DOJ announced it is specifically looking for whistleblowers who have evidence that a company knew about a cyber-vulnerability but chose not to fix it because it was too expensive, all while continuing to bill the government.
What This Means for 2026 Relators
Whistleblowers are no longer just nurses or billing clerks. They are now IT professionals, Chief Information Security Officers (CISOs), and software engineers. If you are an insider who has warned your company that their “cyber-hygiene” is a sham—and that company is billing Medicare or Medicaid—you may be sitting on a major False Claims Act case.
Conclusion: Why Now?
State Attorneys General are under increasing pressure to protect their budgets from the rising costs of healthcare and infrastructure. With record-breaking recoveries in FY 2025 (over $6.8 billion combined at federal and state levels), the state-level “qui tam” is no longer a niche legal tool—it is a primary engine of state revenue and justice.
For whistleblowers, the lesson of 2025 and 2026 is clear: Fraud doesn’t have to be “federal” to be significant. A well-documented case of local Medicaid abuse or state contract manipulation can lead to massive recoveries and life-changing rewards.