What Nonprofits Receiving Federal Funds Need to Know About the False Claims Act

Any entity that is a direct recipient of government funds, or that indirectly receives government funds (e.g., an entity who provides services or products that are reimbursed by government funds), is subject to the FCA. The FCA empowers federal enforcers and certain whistleblowers to seek significant — often multi-million dollar — penalties if the recipient of funds knowingly submits, or causes to be submitted, false claims to the government. The penalties include liability for three times the government’s damages, which could be the entire amount paid to the organization, plus a penalty of $14,308-$28,619 per false claim. As a result of FCA enforcement, the government has reclaimed more than $85 billion since 1986 and exceeded $6.8 billion in FCA settlements and judgments for fiscal year 2025. 

This article addresses common questions for nonprofits about the FCA. 

Are Nonprofit Organizations at Risk of an FCA Investigation?

Yes, nonprofit organizations that contract with the government or receive federal grants, loans, or other federal funding could be at risk of FCA enforcement actions if they do not carefully document and manage their compliance with their contractual obligations when submitting claims for federal funds.

What Types of Conduct Can Expose Nonprofits to FCA Liability?

FCA enforcement against nonprofits that receive federal funding typically focuses on federal grants and health care claims. In the past year, however, the Trump Administration threatened to expand FCA enforcement to target diversity, equity, and inclusion (DEI) programs, and to pursue enforcement for cybersecurity failures and ineligible Paycheck Protection Program (PPP) applications.

DEI

The Trump Administration has broadly asserted that DEI programs risk violating the FCA. No nonprofit has yet faced liability related to this expansion of the FCA, and careful review of DEI programs is merited to mitigate risks of the Administration’s current focus. 

In May 2025, Deputy Attorney General Todd Blanche announced the Civil Rights Fraud Initiative, which aims to use the FCA to investigate and pursue claims against federal funding recipients who are “knowingly engaging in racist preferences, mandates, policies, programs, and activities, including through diversity, equity, and inclusion (DEI) programs that assign benefits or burdens on race, ethnicity, or national origin.” 

According to the New York Times, in May 2025, the US Department of Justice (DOJ) notified Harvard University of an FCA investigation into whether its admissions process complies with the US Supreme Court’s 2023 decision in Students for Fair Admissions, Inc. v. President & Fellows of Harvard College, which effectively ended affirmative action in university admissions. In the DOJ’s memorandum establishing the Civil Rights Fraud Initiative, it stated that “a university that accepts federal funds could violate the False Claims Act when it encourages antisemitism, refuses to protect Jewish students, allows men to intrude into women’s bathrooms, or requires women to compete against men in athletic competitions.”

The initiative’s reach extends beyond nonprofits, which indicates the Harvard investigation may not be a one-off instance. In December 2025, The Wall Street Journal reported that the DOJ issued civil investigative demands (CIDs) to companies including Google and Verizon Communications related to their workplace DEI programs. Although these are not nonprofit organizations, their receipt of CIDs is indicative of the DOJ’s broader interest in scrutinizing DEI-related conduct across all sectors. In recent remarks, the Deputy Assistant AG of the DOJ Civil Division’s Commercial Litigation Branch stated that DOJ investigations into race and sex discrimination by government contractors under the guise of DEI are an enforcement priority. She emphasized that conduct such as engaging in preferential hiring, compensation, or promotional practices for underrepresented groups in order to meet DEI targets is “top of the list” for civil fraud enforcement.

Whether these investigations will result in FCA liability remains to be seen, but nonprofit organizations that receive federal funding should proactively review their DEI policies and practices to ensure compliance with applicable laws and mitigate potential enforcement risk.

Federal Grants

Nonprofit organizations that receive federal grants have long been targets of FCA enforcement. In recent years, the DOJ has pursued significant settlements against organizations that misused grant funds or submitted false certifications. Common violations include:

• Misrepresenting how grant funds were spent.

• Falsifying information in grant applications.

• Failing to comply with grant conditions while continuing to receive funding.

In a notable example, the Cleveland Clinic Foundation (CCF), a major Ohio-based nonprofit medical and research institution, paid $7.6 million in May 2024 to resolve FCA allegations stemming from its handling of three National Institutes of Health (NIH) funded grants. The government contended that, over a roughly seven-year span ending in 2020, CCF omitted from its grant submissions the fact that CCF’s designated Principal Investigator maintained active and pending research funding from institutions abroad — support that NIH required grantees to report in full. Those omissions appeared in initial applications as well as subsequent progress updates, and CCF repeatedly certified the accuracy of its filings despite the missing information. 

Similarly, in July 2024, the University of Maryland agreed to pay $500,000 to resolve FCA claims that it failed to disclose support from foreign sources for faculty members who were principal or co-principal investigators on federally funded research. The allegations related to research grants the university received between 2015 and 2020 from five federal agencies.

These cases underscore the importance of robust internal controls and accurate reporting for nonprofit organizations that rely on federal grant funding.

Cybersecurity

In October 2021, the DOJ launched the Civil Cyber-Fraud Initiative, which uses the FCA to pursue government contractors and federal grant recipients that fail to meet cybersecurity standards required by their contracts or that make false statements about their cybersecurity compliance. Cybersecurity fraud settlements have increased significantly in recent years, with the DOJ recovering over $52 million in fiscal year 2025 across nine settlements.

Nonprofit research institutions are not immune from scrutiny. In September 2025, the DOJ announced an $875,000 settlement with Georgia Tech Research Corporation (GTRC), a 501(c)(3) organization, resolving allegations that it did not comply with cybersecurity requirements involving Air Force and Defense Advanced Research Projects Agency contracts. The case originated as a 2022 qui tam (i.e., whistleblower) lawsuit filed by two former members of Georgia Tech’s cybersecurity team. According to the DOJ, GTRC neglected to install or operate required anti-virus and anti-malware tools, did not maintain a system security plan as mandated, and reported a false cybersecurity self-assessment score to the DOD, which purportedly were required elements of its government contract, thus rendering as false GTRC’s claims for funds.

The GTRC matter is not an isolated example. In October 2024, Penn State agreed to pay $1,250,000 to resolve FCA claims stemming from its alleged noncompliance with cybersecurity obligations across 15 contracts or subcontracts tied to DOD and National Aeronautics and Space Administration work. The DOJ contended that, from 2018 through 2023, the university neglected to deploy required cybersecurity controls and failed to develop adequate remediation plans for known deficiencies. It further alleged that Penn State provided assessment scores to the DOD that mischaracterized its projected timelines for addressing gaps, and that certain contract work relied on cloud services that did not satisfy DOD security standards. 

Nonprofit organizations should ensure that their cybersecurity practices align with contractual requirements and promptly address any compliance gaps to avoid potential FCA exposure.

Paycheck Protection Program

The Paycheck Protection Program (PPP), established during the COVID-19 pandemic to provide forgivable loans to help organizations retain employees, has become a significant source of FCA liability for nonprofit organizations specifically. The DOJ’s pandemic fraud enforcement efforts have yielded more than $820 million in civil recoveries to date, with more than 200 settlements and judgments exceeding $230 million in fiscal year 2025 alone.

Nonprofit organizations have faced particular scrutiny regarding PPP eligibility certifications. In September 2025, the US Attorney’s Office for the District of Columbia announced settlements with six nonprofit organizations totaling over $3 million to resolve allegations that they falsely certified eligibility for PPP loans. Many of these organizations were Section 501(c)(4) entities that were never eligible for PPP loans under the CARES Act or were “think tanks” barred from second-draw PPP loans. In January 2026, four additional nonprofits reached settlements of over $3 million to resolve similar allegations — Prosperity Now, National Bureau of Asian Research, National Conference on Public Employee Retirement Systems, and League of United Latin American Citizens.

What Should Nonprofits Do Now?

Nonprofit organizations, like any other recipient of federal funds, face heightened FCA exposure across multiple fronts, and should not assume that their tax-exempt status immunizes them from liability. Nonprofits should:

• Confirm internal controls over grant expenditures, including ensuring accurate reporting and documentation.

• Audit cybersecurity practices to confirm alignment with contractual requirements and promptly remediate any gaps.

• Verify eligibility certifications for any funds, including careful review of grant agreements.

• Review DEI policies against DOJ guidance. 

If you believe you may have FCA exposure, or if you receive an internal complaint, audit request, subpoena, or Civil Investigative Demand relating to receipt of federal funds, contact counsel immediately.

ArentFox Schiff’s False Claims Act practice and Nonprofits & Associations team regularly advise nonprofits on strategies for FCA compliance that align with their business goals.