HHS-OIG Enforcement: The Federal Record of Healthcare Fraud Settlements and Penalties

Every year the federal government pays out more than a trillion dollars through Medicare and Medicaid, and every year some of that money is stolen—billed for services never rendered, inflated with kickbacks, or upcoded into a higher-paying diagnosis. The office that chases it back is the HHS Office of Inspector General, the largest inspector general in the government, and its enforcement record is the running ledger of who got caught: roughly 10,900 actions—settlements, civil monetary penalties, corporate integrity agreements, and exclusions—each naming a party, a date, a dollar figure where one applies, and the statute it broke. Read together, the actions are a map of where healthcare-fraud risk has concentrated.

This article covers what the HHS-OIG enforcement record is and how it differs from the separate LEIE exclusions list; the OIG's mission as the integrity watchdog over Medicare, Medicaid, and the rest of HHS; the three statutes that do most of the work—the False Claims Act with its qui tam whistleblower provisions, the Anti-Kickback Statute, and the Stark Law on physician self-referral; the kinds of action the record holds, from civil settlements and civil monetary penalties to corporate integrity agreements and program exclusions; the conduct that recurs, including billing for medically unnecessary services, upcoding, and kickbacks; the Medicare Fraud Strike Force and the joint work with the Department of Justice; how the enforcement record joins to the LEIE and to provider identifiers; the analyses the data supports; a Python workflow that reads the genuine oig.hhs.gov enforcement listing and tallies actions by type and year while ranking recorded settlement amounts; and the caveats—free-text fields, partial dollar coverage, and the difference between an allegation and an admission—that every analyst must internalize.

What the dataset is

The HHS Office of Inspector General publishes a running, public record of its enforcement actions: the legal and administrative outcomes of its investigations into fraud, waste, and abuse in HHS programs. The record spans criminal and civil actions—often brought jointly with the Department of Justice—along with the OIG's own administrative remedies: civil monetary penalties, corporate integrity agreements imposed on settling providers, and program exclusions. It is distinct from the OIG's separate List of Excluded Individuals and Entities (LEIE), which is the standing roster of who is currently barred from federal healthcare programs. The enforcement record is the narrative of what the OIG did—the settlements and penalty cases—while the LEIE is the standing answer to the operational question of who may not be paid right now. The two are tightly related, and joinable, but they are not the same dataset.

In our database this record is stored as the table hhs_oig_enforcement, with the grain of one row per enforcement action: a single settlement, civil monetary penalty case, or other resolved action is one row. The columns capture who was the subject, what kind of action it was, when it resolved, how much money was involved where applicable, and the legal basis:

party                 -- the provider, company, or individual named in the action
action_type           -- settlement, civil monetary penalty (CMP),
                         criminal/civil action, CIA, exclusion-linked action
action_date           -- the date the action was posted or resolved
settlement_amount     -- dollar amount recovered or penalty assessed (where recorded)
legal_basis           -- FCA, Anti-Kickback Statute, Stark, CMP authority, other
conduct_summary       -- the alleged or admitted conduct (free text in the title)
classification_tag    -- OIG category: Criminal and Civil Actions,
                         CMP and Affirmative Exclusions, State Enforcement, etc.
state                 -- the state or jurisdiction of the action
joint_with_doj        -- whether DOJ was a party (US Attorney / Civil Division)
provider_type         -- hospital, drug maker, nursing home, lab, physician, etc.
source_url            -- link to the OIG enforcement-action notice

Three groups of columns carry the analytic weight. Identity and conduct—the party, the provider type, and the conduct summary—answer who was pursued and for what. Outcome—the action type, the settlement amount, and the classification tag—answer how the matter resolved and how much it cost the defendant. And legal basis and provenance—the statute invoked, whether DOJ was a co-party, the date, and the jurisdiction—answer under what authority, by whom, and where. The party column is the load-bearing key for joining: matched against the LEIE and against provider identifiers, it ties an enforcement action to the same party's exclusion status and to its billing footprint in the Medicare and Medicaid data. The settlement_amount is the column to treat with the most caution, because, as the caveats section stresses, it is recorded only where a dollar figure applies and is written into free text rather than supplied as a clean numeric field.

The OIG and its mission

The HHS Office of Inspector General is, by staff and by budget, the largest inspector general in the federal government, and the size is a direct consequence of what it guards. The Department of Health and Human Services is the largest grant-making and benefit-paying department in the government, and its two anchor programs—Medicare and Medicaid—move more money than any other federal spending stream outside of Social Security. Created under the Inspector General Act, the OIG exists to protect the integrity of HHS programs and the welfare of the people they serve by detecting and deterring fraud, waste, and abuse. Its work runs along two tracks: audits and evaluations that examine whether programs are run economically and effectively, and investigations and enforcement that pursue the parties who defraud them. This dataset is the output of the second track.

The recoveries are large. The OIG reports billions of dollars in expected recoveries annually—the combined product of court-ordered judgments, settlements, and administrative penalties—and a return on investment that the office regularly cites as many dollars recovered for every dollar of its appropriation. But the enforcement record is not only, or even mainly, about the money it claws back. Its deeper function is deterrence: a publicly searchable archive of who was caught and what it cost them is itself a compliance instrument, signaling to every billing entity in the country what conduct draws a response and how severe that response is. For an analyst, that makes the record something more than a recovery ledger. Because each action names a party, a conduct type, a statute, and a jurisdiction, the aggregate is a longitudinal map of where the government has judged healthcare-fraud risk to be concentrated—which provider types, which schemes, which states—and how that judgment has shifted over time.

The False Claims Act and qui tam

The single most important statute behind the enforcement record is the False Claims Act (FCA), the federal government's primary civil tool against fraud on the public fisc. In the healthcare context it imposes liability on any person who knowingly submits, or causes the submission of, a false or fraudulent claim for payment to a federal program—most often a Medicare or Medicaid claim. “Knowingly” reaches not only actual knowledge but deliberate ignorance and reckless disregard of the truth, and the liability is severe: treble damages (three times the government's loss) plus a per-claim penalty. Because a single fraudulent billing scheme can generate thousands of individual claims, FCA exposure compounds quickly, which is precisely why so many large healthcare matters resolve in settlement rather than at trial.

What makes the FCA uniquely productive of cases is its qui tam provision. Qui tam allows a private person—a relator, in practice usually a whistleblower with inside knowledge such as a former employee, a competitor, or a physician—to file suit on behalf of the United States and to share in the recovery if the case succeeds. The government may intervene and take over the litigation, or decline and let the relator proceed; either way, the relator's share gives insiders a powerful financial incentive to surface fraud the government could not see on its own. A large share of the most significant healthcare-fraud recoveries originate as qui tam actions, and the OIG works hand in glove with the Department of Justice, which brings the FCA suits, while the OIG contributes the investigative muscle and frequently layers on its own administrative remedies—a corporate integrity agreement, a civil monetary penalty, or an exclusion—as part of the global resolution. The FCA is, in short, the engine that drives the largest line items in the enforcement record.

The Anti-Kickback Statute and the Stark Law

If the False Claims Act is the vehicle, the Anti-Kickback Statute (AKS) and the Stark Law are the two substantive prohibitions most often at the bottom of a healthcare-fraud case. They address the same underlying danger—that financial self-interest will corrupt medical judgment—but they do it differently, and the distinction matters for reading the legal-basis field.

The Anti-Kickback Statute is a criminal prohibition. It makes it a felony to knowingly and willfully offer, pay, solicit, or receive any remuneration to induce or reward the referral of items or services payable by a federal healthcare program. Its reach is deliberately broad: “remuneration” covers anything of value—cash, free rent, sham consulting fees, lavish dinners, inflated speaker payments—and the statute is violated if even one purpose of the arrangement is to induce referrals. Because criminal intent is hard to prove and the statute would otherwise sweep in legitimate business arrangements, Congress and HHS created a set of statutory exceptions and regulatory safe harbors that immunize defined, low-risk arrangements. A kickback-based scheme often surfaces in the enforcement record as an AKS matter resolved civilly through the FCA, because a claim tainted by an illegal kickback is, by operation of law, also a false claim.

The Stark Law—the physician self-referral law—is different in character: it is a strict-liability civil prohibition, with no intent requirement. It bars a physician from referring a patient for certain “designated health services” payable by Medicare to an entity with which the physician (or an immediate family member) has a financial relationship, unless the arrangement fits a specific statutory or regulatory exception. Because Stark imposes liability regardless of intent, a technical, well-meaning failure to satisfy every element of an exception—a compensation arrangement that is not in writing, or that exceeds fair market value—can itself trigger liability, and Stark violations frequently appear alongside AKS allegations in the same hospital-physician matter. Together AKS and Stark are the structural prohibitions; the FCA is usually how the government collects.

Civil monetary penalties, CIAs, and exclusion

Beyond the FCA recoveries that DOJ brings, the OIG has its own arsenal of administrative remedies, and they account for a large share of the action types in the record. The first is the civil monetary penalty (CMP). Under its CMP authority the OIG can assess penalties and assessments directly, without going to court, for a wide range of misconduct—presenting false claims, violating the Anti-Kickback Statute, employing an excluded individual, failing to grant the OIG timely access to records, and more. CMP cases are the OIG's in-house enforcement track, and they populate a distinct and steady stream of the enforcement record, frequently for conduct too small or too administrative to warrant a full FCA suit but serious enough to require a response.

The second is the corporate integrity agreement (CIA). When a healthcare provider settles fraud allegations, the OIG often requires, as a condition of letting the provider continue to participate in federal programs, that it enter a CIA: a typically five-year contract imposing detailed compliance obligations—an independent review organization auditing the provider's claims, mandatory training, a compliance officer and committee, reporting of overpayments and “reportable events,” and board-level certifications. The CIA is the forward-looking complement to the backward-looking settlement: the money resolves the past conduct, while the CIA polices future conduct, with stipulated penalties and even exclusion held in reserve if the provider breaches. A CIA in the record is a marker that the OIG judged the provider worth keeping in the program but only under close supervision.

The third and most severe remedy is exclusion— barring a party from participation in Medicare, Medicaid, and all other federal healthcare programs. For most providers, exclusion is a corporate death sentence, because no claim for an excluded party's items or services will be paid by any federal program. Some exclusions are mandatory (imposed by statute upon, for example, conviction of a program-related crime or patient abuse) and some are permissive (imposed at the OIG's discretion). The resulting exclusions are recorded on the LEIE, which is why the enforcement record and the LEIE are two views of an overlapping reality: an action in the enforcement data that ends in exclusion produces a corresponding entry on the LEIE, and the threat of exclusion is the leverage that brings many providers to the settlement table and into a CIA in the first place.

The recurring conduct and the Strike Force

For all the variety of parties in the record—drug and device makers, hospital systems, nursing homes, laboratories, home-health agencies, hospices, durable-medical-equipment suppliers, and individual physicians—the conduct clusters into a recognizable set of schemes. Billing for medically unnecessary services is among the most common: ordering tests, procedures, or therapy a patient did not need, or admitting patients who did not require admission, purely to generate billable claims. Upcoding is its sibling—billing for a more expensive service or a sicker diagnosis than the patient actually received or had, inflating reimbursement by miscoding. Kickbacks, the AKS conduct described above, run through a large fraction of the matters: paying for referrals, disguised as consulting fees, speaker honoraria, free goods, or above-market rents. Rounding out the picture are billing for services never provided at all, billing for services rendered by excluded or unlicensed personnel, and unlawful drug marketing such as off-label promotion. The conduct-summary text is where these patterns live, and classifying it is the key to turning the record into an account of how healthcare fraud is actually committed.

The institutional centerpiece of the government's response is the Medicare Fraud Strike Force, a joint OIG–DOJ initiative that embeds investigators and prosecutors in data-driven teams operating in fraud-heavy regions. The Strike Force model fuses real-time analysis of Medicare billing data with on-the-ground investigation, allowing the government to identify aberrant billing patterns—a single clinic billing impossibly high volumes, a cluster of suppliers sharing a phantom patient list—and move quickly from data anomaly to indictment. Its periodic coordinated takedowns produce large batches of criminal actions concentrated in time and geography, and they are a recurring feature of the enforcement record. The Strike Force is also the clearest demonstration of why the record is worth analyzing in aggregate: the same data-driven targeting the government uses to find fraud is exactly the lens an outside analyst can apply to the published outcomes, reading the enforcement record as a signal of where the next anomaly is likely to surface.

Joining to the LEIE and provider identifiers

The enforcement record is most powerful not in isolation but joined to the other datasets that describe the same parties, and the party name—ideally resolved to a stable identifier—is the join key. Three joins matter most.

The first is to the LEIE. Because an enforcement action that ends in exclusion produces a corresponding LEIE entry, joining the two lets an analyst close the loop between an action and its most severe consequence: which settlements and CMP cases led to exclusion, how long the exclusion runs, and whether a party that settled without exclusion later turns up excluded for separate conduct. The LEIE also carries identifiers (for individuals, often including a National Provider Identifier where available) that help disambiguate the free-text names in the enforcement record, so the join improves entity resolution in both directions.

The second is to provider identifiers and billing data. Where an enforcement action can be matched to a provider's National Provider Identifier, it becomes possible to connect the action to that provider's actual Medicare and Medicaid billing footprint—the services billed, the volumes, the per-service amounts in the public provider-utilization data. That link is what turns the enforcement record from a list of outcomes into a tool for pattern detection: an analyst can ask whether the billing profile of a sanctioned provider was anomalous before the action, and whether peers with similar profiles warrant scrutiny. It is the civilian version of the Strike Force's own method.

The third is to the broader federal enforcement and debarment ecosystem. A healthcare-fraud matter that names a corporate defendant may also produce a SAM exclusion barring the firm from federal contracts, a US Attorney prosecution in the criminal docket, and a record in DOJ's own enforcement releases. Matching across these—by name and, where possible, by identifier—lets an analyst assemble a complete picture of a single bad actor across the procurement, healthcare, and criminal systems, the kind of cross-list synthesis that underlies any serious compliance risk score.

Analytical uses

A national, dated, party-resolved record of healthcare-fraud outcomes supports a distinctive set of analyses.

Where fraud risk concentrates, by provider type and geography. Aggregating actions by provider type and by state reveals the structure of the risk: whether the bulk of recent activity is in nursing homes, laboratories, home-health, hospices, or pharmaceutical marketing, and which jurisdictions generate the most actions—a function both of where fraud occurs and of where the Strike Force and US Attorneys are most active. Tracked over time, these distributions show how the government's focus migrates as schemes evolve and as enforcement resources are redeployed.

Settlement-size distribution and the largest matters.Where dollar amounts are recorded, ranking and binning them shows the long-tailed shape of healthcare-fraud recoveries: a small number of nine- and ten-figure drug-maker and hospital-system settlements alongside a large body of smaller CMP and individual-provider matters. The distribution is itself informative—it tells you whether a given year was driven by a few blockbuster resolutions or by broad, routine enforcement.

Legal-basis and conduct mix. Breaking actions down by statute (FCA, AKS, Stark, CMP authority) and by conduct (medically unnecessary services, upcoding, kickbacks, unlawful marketing) shows which legal theories and which schemes dominate, and how the mix shifts—for instance, whether kickback-driven matters are rising relative to straightforward upcoding. Finally, repeat-offender and recidivism analysis uses the party key and the LEIE join to surface entities that appear more than once, or that settle, sign a CIA, and then resurface—the providers whose CIAs failed to reform them, which are precisely the parties an oversight program should watch most closely.

Python workflow: actions by type and year from the OIG listing

The OIG publishes its enforcement actions as a paginated, filterable listing on oig.hhs.gov rather than through a documented public JSON API, so the script below reads the listing pages directly. It walks the pages, extracts each action's title, date, and classification tags, parses any dollar amount written into the title, and then computes the core views: actions by year, actions by classification tag, and the largest settlements among the records that carry a parseable amount. Requirements: requests, pandas, and beautifulsoup4. Because the page markup changes over time, the selectors are intentionally loose and should be validated against the current structure; any sustained use should throttle politely and cache, as the script does.

import requests, re, time
import pandas as pd
from bs4 import BeautifulSoup
from collections import Counter

# HHS-OIG publishes its enforcement actions as a paginated, filterable
# HTML listing at oig.hhs.gov -- there is no documented public JSON API,
# so this script reads the listing pages directly. Each result row carries
# the action title (which usually names the party, the conduct, and any
# dollar amount), the date, and one or more classification tags
# (Criminal and Civil Actions, CMP and Affirmative Exclusions, State
# Enforcement Agencies, and so on).
#
# Be a good citizen: identify yourself, throttle, and cache. The page
# structure changes over time, so the selectors below are intentionally
# loose and should be validated against the current markup.
BASE = "https://oig.hhs.gov/fraud/enforcement/"
HEADERS = {"User-Agent": "research-bot (contact: analyst@example.org)"}

# A dollar amount written into a title, e.g. "$1,250,000" or "$3.4 million".
MONEY = re.compile(r"\$\s?([\d,]+(?:\.\d+)?)\s?(million|billion)?", re.I)


def parse_amount(text):
    m = MONEY.search(text or "")
    if not m:
        return None
    val = float(m.group(1).replace(",", ""))
    scale = (m.group(2) or "").lower()
    if scale == "million":
        val *= 1_000_000
    elif scale == "billion":
        val *= 1_000_000_000
    return val


def fetch_page(page):
    r = requests.get(BASE, params={"page": page}, headers=HEADERS, timeout=60)
    r.raise_for_status()
    soup = BeautifulSoup(r.text, "html.parser")
    rows = []
    for item in soup.select("article, li.usa-card, div.views-row"):
        link = item.find("a")
        if not link:
            continue
        title = link.get_text(" ", strip=True)
        time_el = item.find("time")
        date = time_el.get("datetime") if time_el else None
        tags = [t.get_text(strip=True) for t in item.select(".field--name-field-type, .tag")]
        rows.append({"title": title, "date": date,
                     "tags": "; ".join(tags), "amount": parse_amount(title)})
    return rows


def crawl(max_pages=40):
    out = []
    for p in range(max_pages):
        batch = fetch_page(p)
        if not batch:
            break
        out.extend(batch)
        time.sleep(1.0)
    df = pd.DataFrame(out)
    df["date"] = pd.to_datetime(df["date"], errors="coerce")
    df["year"] = df["date"].dt.year
    return df


df = crawl()
print(f"Enforcement actions parsed: {len(df):,}")

# --- 1. Actions by year ------------------------------------------------
print("\nActions by year:")
for yr, n in df["year"].dropna().astype(int).value_counts().sort_index().items():
    print(f"  {yr}  {n:>5,}")

# --- 2. Actions by classification tag ----------------------------------
tag_counter = Counter()
for raw in df["tags"].fillna(""):
    for tag in [t.strip() for t in raw.split(";") if t.strip()]:
        tag_counter[tag] += 1
print("\nActions by classification:")
for tag, n in tag_counter.most_common(10):
    print(f"  {tag[:44]:<44} {n:>5,}")

# --- 3. Largest settlements where a dollar amount is recorded ----------
priced = df.dropna(subset=["amount"]).sort_values("amount", ascending=False)
print(f"\n{len(priced):,} of {len(df):,} actions carry a parseable amount.")
print("Top 10 by recorded amount:")
for _, row in priced.head(10).iterrows():
    print(f"  ${row['amount']:>16,.0f}  {row['title'][:60]}")

Two things about this script deserve emphasis. First, the dollar-amount parsing is the fragile part by design: amounts live in free-text titles, written inconsistently (“$1,250,000,” “$3.4 million,” “more than $40 million”), and many actions—criminal sentences, exclusions, access-denial CMPs—carry no dollar figure at all, so the “top by amount” view covers only the priced subset and must never be read as the whole. The script reports the share of actions with a parseable amount precisely so that limitation stays visible. Second, for serious longitudinal work the better path is to capture the listing on a schedule and persist the structured rows—party, type, date, amount, basis—into our hhs_oig_enforcement table, where the conduct text can be classified once, joined to the LEIE and provider identifiers, and analyzed at rest, rather than re-scraping and re-parsing the public pages on every run.

Limitations and analytical caveats

The enforcement record is the most comprehensive public account of HHS-OIG healthcare-fraud outcomes, but it carries structural limitations that an analyst must internalize before drawing conclusions.

Most fields are free text, and amounts are partial. The party name, the conduct, and frequently the dollar figure are embedded in narrative titles rather than supplied as clean structured fields, which makes parsing imperfect and entity resolution hard—the same hospital system can appear under several name variants across actions and years. Crucially, a settlement amount is recorded only where one applies and is stated; a great many actions (criminal sentences, exclusions, certain CMP and access matters) carry no comparable dollar figure. Summing or ranking by amount therefore describes only the priced subset and will mislead anyone who treats it as the total impact of OIG enforcement.

A settlement is not an admission of liability. The overwhelming majority of civil healthcare-fraud matters resolve by settlement, and almost all such settlements expressly state that they are not an admission of wrongdoing by the defendant—the party pays to resolve the allegations and end the litigation risk without conceding the underlying conduct. The conduct described in an enforcement notice is, for settled civil matters, an allegation, not an adjudicated finding. Treating every settled action as proven fraud over-reads the record; the legitimate inference is that the government alleged the conduct and the party chose to resolve it, which is meaningful but not the same as guilt established at trial.

The record reflects enforcement priorities, not the true distribution of fraud. What appears in the data is what the OIG and DOJ chose and were resourced to pursue—shaped by Strike Force geography, by which schemes were prioritized, by whistleblower filings, and by litigation strategy. A surge of actions against a particular provider type or in a particular state may reflect a deliberate enforcement campaign rather than a genuine spike in underlying fraud, and the absence of actions in a category is emphatically not evidence that fraud is absent there. The record measures the shadow of enforcement, which correlates with—but is not—the shape of the fraud itself.

There is reporting lag and a snapshot quality. An action appears after it is resolved and the notice is posted, so the most recent months are systematically under-represented in any snapshot, and joint OIG–DOJ matters may be announced and dated differently across the two agencies' records, complicating cross-source reconciliation. The data is authoritative for established patterns and multi-year trends; it is not a real-time monitor of last month's enforcement, and a single day's capture is a snapshot, not the complete historical archive.

Held with these caveats in mind, the hhs_oig_enforcement table is a uniquely valuable resource: a party-resolved, dated, statute-tagged record of the settlements and penalties through which the federal government's largest inspector general defends Medicare and Medicaid against fraud—a map, read in aggregate, of where the money was stolen, who was caught, and what it cost them, joinable to the exclusions list that records the most severe consequence of all.