Abstract

On Feb 25, 2026, the Trump administration announced a sweeping set of Medicare/Medicaid fraud enforcement actions including a 6-month nationwide DMEPOS enrollment moratorium, a $259.5M federal Medicaid funding deferral in Minnesota, and the launch of the CRUSH (Comprehensive Regulations to Uncover Suspicious Healthcare) RFI. This essay unpacks the policy mechanics, data, and second-order implications for founders and investors in health tech.

Key facts up front:

- 80k+ DMEPOS suppliers enrolled; 6,000+ are medical supply cos (7.5% of total)

- 17% revocation rate for medical supply cos vs ~6% for other DMEPOS types

- CMS suspended $5.7B in suspected fraudulent Medicare payments in 2025

- $1.5B in suspected fraudulent DMEPOS billing stopped in 2025 alone

- CRUSH RFI comment deadline: March 20, 2026 (file code CMS-6098-NC)

- Minnesota deferral: $259.5M with possible $1B+ exposure over next year

- 7 specific medical supply company types covered by moratorium

- Moratorium applies nationwide, all states, territories, DC

- No judicial review of the moratorium decision itself

Table of Contents

What actually happened and why it matters

The DMEPOS moratorium mechanics

The data CMS used to justify this

The CRUSH RFI and what CMS is fishing for

Minnesota as a canary

What this means for founders

What this means for investors

The AI angle

How to think about the comment period

What actually happened and why it matters

Feb 25, 2026 was a busy day at CMS. VP Vance, RFK Jr., and Dr. Oz held a White House press event to announce what amounts to the most aggressive coordinated Medicare/Medicaid fraud enforcement posture in a decade. Three actions dropped simultaneously: a nationwide moratorium blocking new Medicare enrollment for seven categories of medical supply company DMEPOS suppliers, a $259.5M federal Medicaid funding deferral in Minnesota, and the CRUSH RFI soliciting public input on a potential future rulemaking. These aren’t isolated policy moves. They’re a coordinated signal about where this administration wants to take program integrity enforcement, and the downstream effects on health tech companies, from compliance infrastructure to AI vendors to DME-adjacent platforms, are significant.

The headline framing from CMS Administrator Oz was theatrical but directionally accurate: “CMS is done trying to catch fraudsters with their hands in the cookie jar – instead, we’re padlocking the jar and letting them starve.” Secretary Kennedy framed it as replacing “pay and chase” with “detect and deploy.” Whether or not you buy the political branding, the underlying operational shift is real. CMS suspended $5.7 billion in suspected fraudulent Medicare payments in 2025, stopped $1.5 billion in DMEPOS billing alone, revoked billing privileges from 5,586 providers, and sent 372 fraud referrals covering $3.7 billion in billing to law enforcement. That’s not rhetoric, that’s a functioning enforcement apparatus that got materially more aggressive over the past year.

The moratorium itself is the most immediately impactful piece for health tech operators. DMEPOS fraud has been on CMS and OIG radar for literally decades, with OIG reports flagging it since 1998. What’s new is the bluntness of the tool being used: not additional screening requirements, not payment suspensions post-billing, but a hard stop on enrollment for an entire category of supplier. No new medical supply companies get in for at least 6 months, possibly longer if CMS extends. For the companies and investors playing in the DME supply chain, distribution, or adjacently in software supporting these suppliers, this is a material market structure event.

The DMEPOS moratorium mechanics