Blowing the whistle on a healthcare technology company involves choosing the right federal agency for the type of wrongdoing you’ve witnessed, filing your report through the correct legal channel, and protecting yourself from retaliation before you make any disclosures. The specific path you take depends on whether the problem involves patient safety, data privacy, financial fraud, or billing fraud, and each route carries different deadlines, protections, and potential financial rewards.
Identify the Type of Wrongdoing First
Healthcare tech companies can break the law in several distinct ways, and each type of violation has a different reporting agency and legal framework. Before you file anything, figure out which category your concern falls into:
- Billing fraud or false claims to government programs: A company billing Medicare, Medicaid, or other federal programs for services not rendered, upcoding, or misrepresenting what their product does. This falls under the False Claims Act.
- Unsafe software or AI that affects patient care: A medical device, clinical decision tool, or diagnostic algorithm that malfunctions, produces dangerous outputs, or was never properly validated. This goes to the FDA.
- Patient data mishandling or privacy violations: Unauthorized sharing of health records, inadequate security, or HIPAA violations. This goes to the Office for Civil Rights at HHS.
- Investor or securities fraud: Misleading investors about product capabilities, exaggerating AI performance, or fabricating clinical results. This goes to the SEC.
Some situations involve more than one category. A company that lies to investors about the accuracy of its diagnostic AI while also billing Medicare for its use could trigger both SEC and False Claims Act pathways. A whistleblower attorney can help you file through multiple channels simultaneously.
False Claims Act: Billing Fraud Against the Government
If a health tech company is defrauding Medicare, Medicaid, Tricare, or any other federal healthcare program, the False Claims Act is your most powerful tool. It allows private citizens to file lawsuits on behalf of the United States government as “private attorneys general,” and it comes with financial rewards.
To file, you submit a civil complaint under seal with a federal court, meaning the defendant doesn’t know about it initially. Along with the complaint, you must provide a written disclosure of substantially all material evidence and information you possess to both the Attorney General and the U.S. Attorney. The case stays sealed while the Department of Justice investigates and decides whether to intervene. If the government recovers money, you receive a percentage of that recovery.
The statute of limitations is either six years from the date of the violation or three years from when the government knew (or should have known) the relevant facts, whichever is later. There’s a hard outer limit of ten years from the date of the violation, after which no case can be filed regardless of when the fraud was discovered. If you’re sitting on evidence, don’t wait.
FDA Reporting: Unsafe Devices and Software
Healthcare software that qualifies as a medical device, including clinical decision support tools, diagnostic algorithms, and AI systems used in patient care, falls under FDA oversight. If you know a product has malfunctioned in a way that caused or could cause death or serious injury, the FDA wants to hear about it.
Manufacturers are legally required to report when their devices may have caused or contributed to a death or serious injury, and also when they learn of malfunctions likely to cause harm if they recur. If you work for a manufacturer that is failing to make these mandatory reports, that itself is a violation worth reporting.
Anyone can submit a voluntary report through MedWatch, the FDA’s safety reporting program. You can complete the MedWatch Online Reporting Form (Form FDA 3500) through the FDA website, download a paper form, or call 1-800-332-1088 to request one. Include as much detail as possible: the product name, what happened, what clinical setting it occurred in, and any documentation you have.
HIPAA Violations and Data Privacy
If a health tech company is mishandling patient data, failing to encrypt records, sharing information with unauthorized third parties, or violating the Privacy, Security, or Breach Notification Rules, you can file a complaint with the Office for Civil Rights at the Department of Health and Human Services. Anyone can file, not just the person whose data was compromised.
OCR investigates complaints against covered entities (health plans, clearinghouses, and providers conducting electronic transactions) and their business associates, which includes many health tech vendors. File electronically through the OCR Complaint Portal on HHS.gov. Complaints involving substance use disorder treatment records under 42 CFR Part 2 also go through this same portal.
SEC Whistleblower Program: Investor Fraud
Health tech startups and publicly traded companies sometimes misrepresent their technology to investors. They may exaggerate what their AI can do, fabricate performance metrics, or hide safety problems that would affect their valuation. The SEC has fined companies and employees specifically for misleading statements about their use of AI and other technologies.
The SEC Whistleblower Program handles securities law violations and offers financial awards for original information that leads to successful enforcement. For employees of publicly traded health tech companies, the Sarbanes-Oxley Act provides additional protections covering not just direct employees but also workers at subsidiaries, contractors, and subcontractors.
Why You Should Report Externally First
Your instinct might be to raise the issue through your company’s internal compliance hotline or ethics channel before going to a government agency. This is often a mistake, and the legal landscape strongly favors external reporting.
Internal reporting channels exist to benefit the company, not the person reporting misconduct. While hotlines often promise confidentiality or anonymity, companies may still be able to identify you. More critically, the Supreme Court ruled in the Digital Realty case that whistleblowers who only report internally lack key protections under the Dodd-Frank Act. To be protected from retaliation under Dodd-Frank when reporting securities fraud, you must report to the SEC first. This precedent could extend to other federal laws that don’t specifically protect internal reporting.
The history here is sobering. Before the 2000s, companies successfully argued in court that they could fire at-will employees who used internal reporting systems. Enron made plans to fire Sherron Watkins after she raised accounting concerns internally, a decision that was legal at the time due to the lack of protections for internal disclosures. Even today, employers have successfully argued they can terminate at-will employees for using internal channels. The National Whistleblower Center explicitly advises against making any internal disclosures until after consulting a whistleblower attorney.
Protecting Yourself From Retaliation
Federal law prohibits employers from retaliating against whistleblowers, but the protections vary by statute and come with strict deadlines. Under OSHA’s framework, employees who face retaliation for making disclosures authorized by HIPAA in connection with a safety complaint can file a whistleblower complaint under Section 11(c) of the Occupational Safety and Health Act. The critical detail: you must file within 30 days of the retaliatory action. If OSHA’s investigation supports your complaint, it can order your employer to pay lost wages, restore benefits, and provide other relief.
Laws like the False Claims Act, Dodd-Frank Act, and the IRS whistleblower law all prohibit retaliation against employees who report to law enforcement in good faith. Many of these laws allow you to report confidentially or even anonymously. But each has its own filing window, and missing a deadline can strip you of protections entirely.
Finding the Right Attorney
Healthcare tech whistleblowing sits at the intersection of healthcare regulation, technology law, and federal enforcement, so generic legal advice won’t cut it. Look for a firm with specific experience in your type of whistleblower complaint. Each agency and court has its own procedural requirements, and a lawyer unfamiliar with those specifics can cost you time or, worse, your case.
Firms that include former DOJ attorneys or former special agents from agencies like the SEC tend to understand how federal investigators think and what evidence they prioritize. A robust federal practice matters more than a general whistleblower label. Most whistleblower attorneys work on contingency for qui tam cases, meaning you pay nothing upfront, so cost shouldn’t prevent you from getting a consultation before you take any action.
Practical Steps Before You File
Start by preserving evidence, but do it carefully. Copy documents, emails, internal reports, or screenshots that support your claims, but be aware of your company’s policies on removing proprietary information. A whistleblower attorney can advise you on what evidence-gathering methods are legally safe in your jurisdiction. Never alter or fabricate documents.
Keep a personal timeline of what you witnessed, when you witnessed it, and who else was involved. Write it down while your memory is fresh, with dates and specifics. Store it somewhere your employer cannot access, like a personal device or a physical notebook at home.
Do not discuss your plans with coworkers. Even trusted colleagues can inadvertently reveal your intentions, and once the company knows a whistleblower complaint is coming, evidence can disappear and retaliation can begin before you have legal protections in place. Talk to an attorney first, file with the appropriate agency, and let the legal process create a protective record before anyone at your company learns what you’ve done.