The US Department of Justice will be taking a hard look at MedTech quality, manufacturing, and cybersecurity this year as the “DOJ continues to prioritize the medical device sector from an enforcement standpoint,” an industry attorney warns manufacturers.
DOJ “investigations of device companies often revolve around questions of product quality and promotional misconduct, and they examine whether device companies are marketing either on cleared or improved indications, and whether they lack the scientific support for claims they might be making on the quality front,” said Jennifer Bragg, a Partner in the Washington, DC, office of the law firm Latham & Watkins, and a former Associate Chief Counsel for Enforcement in the Food and Drug Administration’s (FDA) Office of Chief Counsel.
The DOJ also, among other activities, investigates allegations of manufacturer concealment of product problems and failure to submit adverse event reports to the FDA.
“And more recently, [the DOJ has] been looking at whether companies are incorrectly managing their cybersecurity risks,” Bragg said during a Jan. 22 Latham & Watkins webinar on DOJ enforcement priorities. “This is something … folks should keep an eye on … because device development is more iterative and as product designs change, manufacturing and quality issues pose a bigger risk for device companies.”
Audit report transparency “will make it easier for the FDA to find what’s going on with respect to quality issues. That’s a continued risk that [manufacturers] should keep in mind.” – Jennifer Bragg
The DOJ’s scrutiny of medical device manufacturing and product quality should be expected not only by MedTech makers, but also across the “spectrum of the medical technology industry,” Bragg noted.
“There are two things happening that I think are going to continue to make [MedTech] an area of focus” for the DOJ, she said. “First, the FDA is working very hard to get its inspectional core up and going, and inspectional rates are expected to increase.”
And second, Bragg said, is that the agency’s Quality Management System Regulation (QMSR) went into force on Feb. 2. Because of that, “companies are now no longer able to shield their external and internal audit reports during inspections, [which means] FDA investigators are going to have access to audit reports, which obviously will give them a direct window into challenges that have been found” during quality audits and supplier audits, she said.
“I expect those [audit reports] will make it easier for the FDA to find what’s going on with respect to quality issues. That’s a continued risk that [manufacturers] should keep in mind,” Bragg said.
In a separate Latham & Watkins webinar held in December, Bragg said the FDA’s ability to peek at audit findings and other related materials under its new QMSR is “the most important change that companies really should be prepared for,” adding that it tacks on a level of transparency that will catch some manufacturers off guard. (Related Story: “A ‘Major Change’: Is Your MedTech Company Ready for FDA’s Review of Audit Reports?” QualityHub, Jan. 1, 2026.)
On DOJ’s Mind: Product Quality and Cybersecurity
Attorney Bragg said the DOJ is sharpening its enforcement attention on quality lapses, underscoring that companies may face liability if they sell devices they know (or should know) are defective or otherwise fall short of quality standards. The FDA has made clear that device makers are responsible for ensuring products are safe, effective, and meet agency requirements, and failing to do so can trigger enforcement actions including recalls, warning letters, and civil money penalties.
“What we’ve seen in the settlement front are instances where companies are resolving cases based on allegations – sometimes that they have misrepresented adherence to the [FDA’s] quality system regulations and other FDA … applicable regulations,” Bragg said. “In some instances, [companies] have failed to report device problems, either [by conducting] recalls without reporting those recalls to the FDA” – also known as silent recalls – or by failing to file adverse events with the agency in the form of Medical Device Reports (MDR).
“This is low-hanging fruit for the government, because there is a bright-line clock that gets put on those reporting obligations and if companies miss those [deadlines], it’s a pretty easy [way] to show a violation of FDA regulations that can underpin FCA liability,” she said.
FCA – the False Claims Act – is the tool used most by the DOJ as it scrutinizes MedTech manufacturers for a variety of reasons, including devices that have persistent quality issues.
Meanwhile, there has been an uptick in DOJ allegations and settlements “involving medical device companies accused of selling medical device software that have cybersecurity vulnerabilities,” Bragg said, pointing out that those resolutions didn’t include claims of actual cybersecurity breaches.
She explained that such settlements were unusual because they were based solely on allegations that the mere possibility of cybersecurity vulnerabilities – even without an actual breach – was sufficient to classify the devices as defective.
