Medvi and Zealthy: What Every Telehealth Founder Needs to Learn From Compliance Investigations in 2026
Two telehealth companies. Two very different types of failure to comply with basic healthcare rules and regulatuons. Both unfolding in real time, in the same two-week window, in front of the entire healthcare industry.If you are building or running a telehealth practice right now -- whether you are a PA launching your own thing, a physician standing up a virtual model, or a founder trying to scale a direct-to-consumer platform -- you need to understand what went wrong at Medvi and Zealthy. Not because the details are salacious (though they are). Because the specific rules these companies violated are the same rules you are subject to every single day.
Let me walk you through what happened, what was broken, and what you should be doing differently.What Happened at Medvi
Medvi is a GLP-1 telehealth startup founded by Matthew Gallagher in Los Angeles. On April 2, 2026, the New York Times published a profile presenting Medvi as a proof-of-concept for AI-powered business -- a company projecting $1.8 billion in 2026 revenue with just two full-time employees. The story went viral. Forbes, Inc., and dozens of other outlets followed.
What the NYT profile did not mention: six weeks earlier, on February 20, 2026, the FDA had already issued Warning Letter #721455 to Medvi.
Here is what the FDA found.
**FDA Warning Letter #721455 (February 20, 2026)**The FDA cited Medvi for misbranding violations under Sections 502(a) and 502(bb) of the Federal Food, Drug, and Cosmetic Act (FDCA). Specifically:
- Medvi's website displayed product labels with the "MEDVi" name in a way that suggested Medvi was the drug compounder. It is not. Medvi partners with third-party compounding pharmacies through platforms like CareValidate and OpenLoop Health.
- The site included claims like "Same active ingredient as Wegovy and Ozempic" and "Same active ingredient as Mounjaro and Zepbound," which the FDA found implied that compounded products had been FDA-approved or evaluated for safety and effectiveness. They have not.
The warning letter is publicly available on FDA.gov (Letter #721455). It is worth reading in full.
The Advertising Problem
An investigation published by Drug Discovery & Development on April 4, 2026 documented additional concerns. Researchers found more than 5,000 active Medvi-related ads on Meta's platform, many running under what appeared to be fictitious doctor personas with fabricated medical titles. Some of the Facebook pages running sponsored Medvi ads were categorized as "Entertainment websites" and listed physical addresses that do not appear to exist.
Medvi's own website includes a disclaimer acknowledging that individuals appearing in advertisements may be actors or AI-generated portrayals. The company's founder has attributed the worst advertising practices to affiliate marketing agencies rather than Medvi itself -- but the FDA's warning letter was addressed to "MEDVi, LLC dba MEDVi."The Class Action
On March 20, 2026, a class action lawsuit was filed in the Central District of California alleging that Medvi used affiliate marketers to distribute deceptive spam emails with spoofed domains and falsified headers. The suit was filed under California's anti-spam law and involves at least 100,000 consumers.LegitScript Certification: No Longer Active
Until very recently, Medvi's strongest credibility argument was its LegitScript certification -- an independent third-party compliance verification required by major payment processors and advertising platforms including Google, Meta, and TikTok. Multiple sources as recently as last week described that certification as active. As of April 14, 2026, LegitScript's own website certification checker returns "No results found" for both medvi.org and glp.medvi.org. The certification that every Medvi defender pointed to as proof of legitimacy appears to no longer be active.
This matters enormously. LegitScript certification is what allows healthcare companies to maintain merchant accounts with major payment processors and run ads on platforms like Google and Meta. When Zealthy lost its LegitScript certification in January 2025, the DOJ alleges the company resorted to creating shell companies to continue processing payments. Whether Medvi faces similar downstream consequences remains to be seen, but the loss of this certification -- if confirmed as a revocation rather than an administrative change -- removes the single biggest pillar separating Medvi's compliance posture from the companies that have already faced the most severe enforcement actions.Important Context
Medvi was not the only company warned. On March 3, 2026, the FDA issued warning letters to 30 additional telehealth companies for similar marketing violations related to compounded GLP-1 products. A STAT News analysis found that at least 30% of those companies shared clinical affiliations with just four nationwide medical groups. This was an industry-wide enforcement action. But it does not make the violations less serious for anyone operating in this space.What Happened at Zealthy
Zealthy is a different story entirely. Where Medvi's problems center on marketing and labeling compliance, Zealthy's problems go to the clinical and operational core of telehealth practice.The DOJ Filing (April 13, 2026)
The Department of Justice filed a motion seeking an immediate asset freeze and receivership against Zealthy and its CEO, Kyle Robertson. The DOJ described Zealthy's operations as a "runaway campaign of lawbreaking.The key allegations:
Prescriptions without physician knowledge- The DOJ alleges that Zealthy used the names and licenses of doctors who did not work there to fill thousands of prescriptions without those physicians' knowledge or clinical supervision. In one example cited in the filing, the company allegedly ordered more than 8,000 prescriptions using the name of a single doctor after he had stopped working there.Non-clinician prescribing- The filing alleges "routine ordering of prescriptions by non-clinicians with no medical license."Billing practices- The DOJ alleges Zealthy charged consumers without consent, continued billing after cancellation, and instructed customer support representatives not to use the word "cancel" unless the customer said it first.Shell companies and payment processing - After losing its LegitScript certification in January 2025 for failing to disclose the DOJ lawsuit, Zealthy allegedly created shell companies to continue processing payments after major platforms and processors dropped it.Artificially diluted chargeback rates- The DOJ alleges that Zealthy executives used company credit cards to purchase their own subscriptions, artificially lowering their transaction dispute rates to hide the volume of chargebacks from financial institutions. The DOJ stated bluntly that the penalties it is seeking may bankrupt Zealthy, and that asset preservation is essential to ensure there is anything left for consumer redress.
The Backstory
This is not Kyle Robertson's first enforcement action. Robertson founded Cerebral, the telehealth mental health startup that prescribed Adderall online during the pandemic. He was ousted from Cerebral in 2022. The company eventually paid a $2.9 million fine for unauthorized distribution of controlled substances. The DOJ and FTC filed the original complaint against Zealthy in June 2024, alleging violations of the FTC Act and the Restore Online Shoppers' Confidence Act (ROSCA).The Data Breach
Separately, in January 2026, a threat actor posted Zealthy patient data for sale on a hacking forum, claiming access to 2.1 million patient records including full names, email addresses, phone numbers, addresses, driver's licenses, and patient health information.The Rules That Were Broken
This is the part that matters most for anyone building a telehealth practice. Here are the specific regulatory frameworks at play.FDCA Sections 502(a) and 502(bb) -- MisbrandingIf your website, ads, or marketing materials suggest that you are the compounder of a drug product when you are not, that is misbranding under federal law. If your marketing implies that a compounded product has been FDA-approved or evaluated for safety and effectiveness, that is also misbranding. This is what the FDA cited Medvi for, and it is what 30+ other telehealth companies were cited for in the same enforcement wave. If you are selling or facilitating access to compounded medications, your marketing language must clearly distinguish compounded products from FDA-approved products, and it must not misrepresent who is doing the compounding.FDCA Sections 503A and 503B -- Compounding Exemptions
Compounding pharmacies operate under specific exemptions from the standard drug approval process. Section 503A covers traditional pharmacies compounding pursuant to individual prescriptions. Section 503B covers outsourcing facilities that can compound without individual prescriptions but must register with the FDA and comply with current good manufacturing practices. The entire compounded GLP-1 market has been operating in a regulatory gap created by drug shortages. The FDA resolved the tirzepatide injection shortage in December 2024 and the semaglutide injection shortage in February 2025. Since then, many companies have pivoted to "personalized" formulations that add ingredients like vitamin B-12. But on April 1, 2026, the FDA clarified that a compounded product combining semaglutide with another active ingredient may still be considered "essentially a copy" of an approved drug unless a prescriber documents a patient-specific "significant difference." This window is closing.
ROSCA -- The Restore Online Shoppers' Confidence Act
ROSCA is federal law. It requires three things: clearly disclose all material subscription terms before collecting billing information, obtain express informed consent before charging, and provide a simple mechanism to cancel. The DOJ's case against Zealthy is built significantly on ROSCA violations. If your practice uses any kind of subscription or recurring billing model, ROSCA applies to you. The compliance bar is not high, but it is non-negotiable.FTC Act -- Deceptive and Unfair Practices
The FTC Act prohibits unfair or deceptive acts or practices in commerce. The allegations against both Medvi (deceptive advertising via fake doctor personas) and Zealthy (unauthorized billing, data misuse) fall under this umbrella. If you are running ads that use AI-generated images of healthcare providers, or if your marketing makes claims about provider credentials that are not accurate, you are exposed.State Prescribing and Supervision Laws
The Zealthy allegations about prescriptions issued without physician knowledge strike at the most fundamental layer of healthcare regulation. Every state has laws governing who can prescribe, under what supervision, and with what documentation. For PA-owned practices in particular, your collaborative practice agreement is not a formality. It is the legal document that authorizes your clinical operations. If prescriptions are being issued under a collaborating physician's name without their active participation, you have a problem that goes well beyond an FDA warning letter -- you are looking at potential criminal liability, loss of licensure, and personal exposure for everyone involved.How to Not Be Medvi or Zealthy
These are not complicated compliance obligations. They are the basics. But the speed at which telehealth companies scale -- especially in high-demand categories like GLP-1s -- creates real pressure to cut corners. Here is what you should be auditing right now.Marketing and Advertising
Review every piece of marketing copy on your website, social media, and ad platforms. If you are facilitating access to compounded medications, make sure your language does not imply FDA approval, does not suggest you are the compounder unless you actually are, and does not use the names or likenesses of healthcare providers without their explicit, documented consent. If you use affiliate marketers, you are responsible for what they publish under your brand. The FDA addressed its warning letter to Medvi, not to Medvi's affiliates.Billing and Subscriptions
If you use a subscription model, audit your signup flow against ROSCA requirements. Can a consumer clearly see what they will be charged and when before they enter payment information? Is there a simple, accessible cancellation mechanism? Are you actually processing cancellations when consumers request them? This is table stakes, and the DOJ has shown it will pursue asset freezes over it.
Collaborative Practice Agreements
If you are a PA-owned practice, your CPA is the backbone of your legal authority to practice. It should clearly define the scope of services, chart review requirements, prescriptive authority parameters, and the collaborating physician's active role in oversight. It should not be a document that sits in a drawer. Your collaborating physician should be engaged, reachable, and actually reviewing the work they are responsible for supervising. What happened at Zealthy -- prescriptions issued under a physician's name without their knowledge -- is the nightmare scenario. It exposes the physician to liability, the prescribing clinician to criminal charges, and the practice entity to everything from civil suits to licensure revocation.Data Privacy
If you are collecting patient health information through a telehealth platform, you need to know exactly where that data goes and who has access to it. Do not use tracking pixels or analytics tools that transmit PHI to third parties without proper authorization. The Zealthy and Cerebral enforcement actions both involved allegations of sharing patient data with advertisers. This is not a gray area.What Happens Next
Zealthy is likely headed for receivership or bankruptcy. The DOJ has said as much in its filing. The asset freeze motion, if granted, would effectively shut down operations. Robertson's track record -- ousted from Cerebral, which paid millions in fines, now facing a second round of federal enforcement at Zealthy -- makes a favorable outcome for the company unlikely.
Medvi aces a narrowing regulatory window on multiple fronts. The apparent loss of LegitScript certification -- if it holds -- could trigger cascading consequences for payment processing and advertising access, the same operational chokepoints that accelerated Zealthy's unraveling in 2025. Beyond that, Medvi's business model depends on the continued availability of compounded GLP-1s. The FDA's April 1, 2026 guidance on "essentially a copy" formulations signals that the agency is tightening its position on compounded semaglutide and tirzepatide products, particularly those that add ingredients like vitamin B-12 to argue they are not copies of approved drugs. As that window closes, every company in this space -- not just Medvi -- will need to adapt or exit.
The broader enforcement trend** is accelerating. The FDA issued more warning letters to telehealth and pharmaceutical companies in the past six months than it had in the entire previous decade. The DOJ's Health Care Fraud Unit reported a record year in 2025, and its telemedicine enforcement initiative is expanding. For anyone building in telehealth, the regulatory environment is getting tighter, not looser. The time to build compliance infrastructure is before you scale, not after you receive a warning letter.Sources
FDA Warning Letter #721455 to MEDVi, LLC (February 20, 2026) -- FDA.govLegitScript Website Certification Status lookup for medvi.org and glp.medvi.org (accessed April 14, 2026) -- LegitScript.comDOJ Motion for Asset Freeze and Receivership, Zealthy Inc. (April 13, 2026) -- reported by Sherwood NewsDrug Discovery & Development investigation on MEDVi advertising practices (April 4, 2026)Foley & Lardner LLP, "GLP-1 Compliance: FDA Targets Telehealth Marketing in 30 New Warning Letters" (March 12, 2026)Arnold & Porter, "Can You Hear Me Now?: DOJ Expands Telehealth Enforcement Efforts" (August 2, 2024)Techdirt, "The New York Times Got Played By A Telehealth Scam And Called It The Future Of AI" (April 7, 2026)Sherwood News, "Justice Department accuses telehealth Zealthy of fraud, says remedy may bankrupt it" (April 13, 2026)DOJ/FTC Amended Complaint against Cerebral, Zealthy, et al. (June 10, 2024)DataBreaches.net, "3.7 Million Telehealth Patients Allegedly Affected By Two Recent Breaches" (March 23, 2026)
Camino Strategy Group helps healthcare founders build telehealth practices that scale without cutting compliance corners. If you need help structuring collaborative practice agreements, marketing compliance review, or regulatory strategy, reach out at caminosg.com.