Insights

On April 29, 2026, the New York Department of Financial Services (NYDFS) announced the finalization of a $2.25 million settlement with Delta Dental of New York and Delta Dental Insurance Co., resolving allegations that the affiliated companies failed to comply with the state’s stringent cybersecurity, consumer data protection, and incident reporting requirements. For health insurers, managed care organizations, and their third-party service providers operating in New York, the announcement comes as the latest signal that the NYDFS intends to aggressively enforce its cybersecurity regulations — which are widely considered the strictest in the nation following a 2023 overhaul. These regulations, codified at 23 NYCkRR 500 (Cybersecurity Requirements for Financial Services Organizations), apply to any entity licensed under New York insurance law, including health insurers, managed care organizations, and their third-party service providers.

Consistent with recent FDA initiatives directed at leveraging AI technologies and improving early-phase clinical trial conduct, the FDA has issued a Request for Information (RFI) for input on a proposed AI-enabled optimization pilot program for early-phase clinical trials. The issues for which FDA is requesting information fall into two categories:  (A) Pilot program design and implementation and (B) Program evaluation metrics and success criteria.

The appropriate use of AI tools during the claims review process continues to be a major topic of debate within the health care industry — but in recent weeks, emerging litigation has inspired critics to turn their attention specifically to the technology’s application within federal health programs. On March 25, 2026, the Electronic Frontier Foundation (EFF) filed a lawsuit against the Centers for Medicare and Medicaid Services (CMS), citing the agency’s alleged failure to answer a Freedom of Information Act (FOIA) request for records the EFF believes will provide crucial insight into the design, safeguards, vendor relationships, and real-world performance of the Medicare Wasteful and Inappropriate Service Reduction (WISeR) Model, CMS’s  AI-driven prior authorization pilot program for certain Medicare services.

Several recent class actions filed against Tempus AI, Inc., a health care technology company that combines AI with molecular and clinical data to develop precision medicine services, are the latest in a series of cases illustrating a fast-growing legal risk: the repurposing of genetic and clinical data — collected for diagnostic or treatment purposes — for artificial intelligence (AI) model training, analytics, and downstream commercialization following corporate acquisitions. At the same time, state genetic privacy regulation is expanding rapidly, with Utah and South Dakota being the most recent states to enact new statutes, and legislation advancing in several additional states. Organizations holding genetic datasets need to treat data governance as a core enterprise risk issue, not a downstream compliance matter.

At the International Association of Privacy Professionals’ (IAPP) annual conference March 30-31, 2026, enforcement officials from California, Connecticut, Indiana, and Delaware shared their current and upcoming enforcement priorities under U.S. state consumer privacy laws. This alert summarizes the key themes from the panel and offers practical guidance for companies navigating the evolving enforcement landscape.

On April 2, 2026, President Trump issued a Proclamation invoking Section 232 of the Trade Expansion Act of 1962, as amended (19 U.S.C. § 1862), to impose tariffs on imports of patented pharmaceuticals, biologics, and associated ingredients into the United States.  The action affects pharmaceutical manufacturers, importers, and supply chain participants.   

In a development likely to ramp up regulatory pressure on an industry already under significant federal scrutiny, Federal Trade Commission (FTC) Chairman Andrew Ferguson recently directed leaders across his agency to launch a team dedicated to cooperatively advancing enforcement and advocacy activities relevant to health care.

The National Association of Insurance Commissioners (NAIC) is intensifying its oversight of how insurers use AI — and the pace of regulatory activity shows no signs of slowing. Over the past several months, the NAIC has published a formal Issue Brief staking out its position on federal AI legislation, launched a multistate AI Evaluation Tool pilot aimed at examining insurers’ AI governance programs, and continued to expand adoption of its AI Model Bulletin across state lines. These developments continue a trend towards enhancing regulation; the NAIC adopted AI Principles in 2020 and a Model Bulletin in 2023 clarifying that existing insurance laws apply to AI systems and establishing expectations for governance, documentation, testing, and third-party oversight. That Model Bulletin has now been adopted in approximately 24 states.

Ransomware attacks continue to evolve in frequency, sophistication, and impact. Threat actors are now leveraging artificial intelligence to enhance phishing campaigns, automate data exfiltration, and execute double extortion schemes—where data is both encrypted and stolen for leverage.

On September 30, 2025, the Food and Drug Administration (FDA) issued a Request for Public Comment (“Request”) inviting stakeholders to share practical experience and recommendations for measuring and evaluating the real-world performance of AI-enabled medical devices, including those powered by GenAI. According to FDA, the Request is not intended to communicate new guidance or regulatory expectations but aims to advance the conversation on how best to assure the safety, effectiveness, and reliability of AI-driven technologies in clinical practice.

On September 9, 2025, the California Privacy Protection Agency (“CPPA”), along with California Attorney General Rob Bonta, Colorado Attorney General Phil Weiser, and Connecticut Attorney General William Tong, (collectively the “Coalition”) announced a joint investigative sweep (the “Sweep”) into businesses refusing to honor consumers' requests to opt-out of the sale of their personal information submitted via Global Privacy Controls (“GPCs”). This Sweep is another action in a growing trend of multi-state cooperation in data privacy enforcement activities. Given the continued lack of a federal data privacy law, state cooperation and enforcement activities are expected to continue.

On Monday, July 21, 2025, the Food and Drug Administration (FDA) issued draft guidance entitled “E21 Inclusion of Pregnant and Breastfeeding Women in Clinical Trials” from the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH). The guidance is currently in Step 2 of the ICH process and open for public comment until September 19, 2025.

On July 23, 2025, the Trump Administration issued an artificial intelligence (AI) action plan titled “Winning the Race: America’s AI Action Plan” (the Plan) to guide AI innovation in the U.S. The Plan includes 90 policy recommendations that will shape future AI guidance and policies impacting a range of entities and industry sectors, including health care/life sciences and entities involved in clinical research.

In response to the recent U.S. strikes on Iranian nuclear facilities, the New York State Department of Health (“NYS DOH”) issued a cybersecurity advisory (the “Advisory”) that cautions healthcare providers, such as hospitals, treatment centers, and healthcare practitioners, of a high likelihood of increased cyberattacks and heightened cybersecurity threat activity.  The Advisory follows similar announcements and warnings from U.S. Department of Homeland Security (“DHS”), NYS Intelligence Center (NYSIC) and the Health-ISAC (Information Sharing and Analysis Center).

In a somewhat ambiguous press release on Wednesday, June 18, 2025, the Food and Drug Administration (FDA) announced a halt and “immediate review” of new clinical trials where American patients’ cells are sent to China or other “hostile countries” for genetic engineering with the expectation that the cells will be infused back into U.S. patients.[1] A subsequent podcast published by the agency also said that therapies that involved cells that were sent to China for genetic engineering and intended for subsequent infusion into U.S. patients would not be approved going forward. The announcement said that there is “mounting evidence” that some clinical researchers failed to obtain informed consent from trial participants about the international transfer and manipulation of biological material.

On May 1, the NIH issued an update on its grants policy, establishing a “new award structure” that would prohibit foreign subawards from being nested under the parent grant, replacing them with direct awards linked to a prime award. Effective immediately, NIH will no longer issue awards that include a subaward to a foreign entity until the new structure is implemented. The notice did not limit this new structure for foreign recipients to any particular jurisdiction, potentially impacting a wide range of grants and limiting international collaboration with U.S. researchers through the subaward model.

On March 27, 2025, HHS announced a “dramatic restructuring” of its various agencies and offices in accordance with President Trump's Executive Order, “Implementing the President’s ‘Department of Government Efficiency’ Workforce Optimization Initiative.” HHS also published a Fact Sheet.

On March 12, the California Consumer Privacy Protection Agency (“Agency”) announced it had entered into a settlement (“Settlement”) with American Honda Motor Company (“Honda”) to resolve the Agency’s claims that Honda violated the California Consumer Privacy Act (“CCPA”). The total fine to be paid by Honda is $632,500. The investigation came out of the Agency’s Enforcement Division’s focused review of privacy practices of connected vehicles and related technologies announced in July 2023. That review highlighted vehicles with embedded features such as location sharing, smartphone integration, and cameras, and we expect more automotive related Agency settlements to be issued in the near future.

On February 28, the Department of Health and Human Services (HHS) announced that it was rescinding the Richardson Waiver, a policy in place since 1971 which said HHS would provide notice of proposed rulemaking in certain cases where it was not otherwise required to do so by law. This announcement signals a policy shift for the agency and suggests that where permitted by law, HHS will generally now issue rules relating to “agency management or personnel or to public property, loans, grants, benefits, or contracts” without providing notice and comment to stakeholders, and may otherwise find good cause to forego notice and comment procedures.

On Friday, February 21, Rep. Brett Guthrie (R-KY) and Rep. John Joyce (R-PA), the Chairman and Vice Chairman of the U.S. House Committee on Energy and Commerce, issued a Request for Information (RFI) inviting stakeholders to provide comment as the Committee explores the development of a federal data privacy and security framework. After efforts to consider a bipartisan and bicameral bill failed last year under former Chair Cathy McMorris Rodgers (R-WA), Chairman Guthrie is starting the effort anew, forming a working group with the goal of developing comprehensive legislation “that can get across the finish line.”