The U.S. Department of Justice (“DOJ”) Criminal Division and the U.S. Attorney’s Office for the Western District of North Carolina recently announced the first non-prosecution agreement (“NPA”) coming out of DOJ’s Health Care Fraud Unit since the release of DOJ’s updated Corporate Enforcement and Voluntary Self-Disclosure Policy (“CEP”) and DOJ’s criminal division enforcement priorities in May of this year. As DOJ begins to ramp up its enforcement actions in the new administration, the case is another example that suggests that cases pursued by this administration, and the resolutions reached with defendant companies, may in many cases look quite similar to cases pursued in prior administrations.
The May 12 DOJ enforcement priority memorandum from the Head of DOJ’s Criminal Division, Matthew R. Galeotti, directed DOJ’s investigations and enforcement actions to focus on ten high impact areas, the first of which is “waste, fraud, and abuse, including health care fraud and federal program and procurement fraud that harm the public fisc.”1 DOJ’s memorandum, however, emphasized that DOJ’s policies “must strike an appropriate balance between the need to . . . investigate . . . criminal wrongdoing while minimizing unnecessary burdens on American enterprise.”2 Notably, the memorandum directed prosecutors, “going forward,” “to impose a term that is ‘appropriate and necessary’ in light of the severity of the misconduct, the company’s degree of cooperation and remediation, and the effectiveness of the company’s compliance program at time of resolution.”3 It also stated that “[i]ndependent compliance monitors must only be imposed when they are necessary.”4
On August 20, 2025, DOJ announced an NPA with Troy Health, Inc., dated August 14, 2025, to resolve a criminal investigation into its Medicare Advantage enrollment practices, which are described in the NPA as being fraudulent. While Troy did not receive credit for voluntary self-disclosure under the CEP, DOJ acknowledged Troy’s early reporting to the United States Centers for Medicare & Medicaid Services (“CMS”), substantial cooperation, and remediation efforts. The company avoided a compliance monitor and received a reduced penalty of approximately $1.43 million due to inability to pay.
Troy’s use of artificial intelligence (“AI”) to scale its fraud marked a novel enforcement concern. Under the direction of a senior executive, Troy employees cold-called Medicare beneficiaries using pharmacy-sourced customer lists obtained without beneficiaries’ consent. Pharmacies were financially incentivized to generate customer data and share it with Troy, including via Troy’s AI-based platform, Troy.ai. Troy employees also accessed customer lists through a data management tool that Troy encouraged contracting pharmacies to license.
Troy employees misrepresented themselves as pharmacy staff and falsely assured beneficiaries that switching plans would not require them to change their insurance provider. Many were enrolled without knowledge or consent—either manually or via auto-enrollment. In one instance, over 300 beneficiaries were enrolled in a single day. Despite CMS’s directive to Troy to verify enrollments after CMS noted a spike in enrollments and received complaints, Troy used the outreach as a “welcome” call. Text messages between senior executives confirmed the scheme’s illegality, and Troy admitted to over $1.8 million in illicit proceeds.
Key NPA Provisions
Though DOJ deemed Troy ineligible for a declination because it did not voluntarily self-disclose the misconduct directly to DOJ as required by the CEP, DOJ nonetheless agreed to an NPA with a relatively short term of 18 months, citing two primary factors.
First, Troy demonstrated cooperation during the investigation. This included, among others, self-reporting to CMS before the conduct came to the attention of DOJ, providing timely updates from its internal investigation, producing relevant documents and information about its AI systems, and delivering factual presentations to DOJ, although DOJ noted that Troy’s cooperation was not fully effective—particularly in the early stages—due to failures in preserving and producing key documents and evidence.5
Second, Troy undertook “extensive and timely remedial measures.”6 These included:
- Removal of the Chief Operating Officer and censure of the Chief Pharmacy Officer;
- Immediate suspension of all Troy.ai functions related to member referrals and recruitment; and
- Implementation of significant enhancements to its corporate compliance program related to member enrollment.
In light of these efforts, DOJ applied a 20% reduction to the bottom of the applicable Sentencing Guidelines fine range.7 It also determined that “an independent compliance monitor [was] unnecessary,” citing the strength of Troy’s revised compliance framework and its agreement to ongoing self-reporting to DOJ.8
Additionally, based on an ability-to-pay analysis, DOJ capped Troy’s criminal penalty at approximately $1.43 million, the maximum that DOJ determined the company was able to pay.
Key Takeaways for Companies
DOJ continues to prioritize health care fraud enforcement, particularly misconduct that falls under DOJ’s recent list of priority areas. Key takeaways include:
- Given DOJ’s stated prioritization of health care fraud, waste, and abuse, specifically in the Medicare space, the recent NPA is an indication that healthcare fraud will continue to receive significant scrutiny by DOJ. DOJ stays in close contact with Medicare and looks for outliers in the data, creating enforcement risks for companies that do not appropriately police their sales and marketing activities. Companies should remain vigilant and ensure that robust compliance policies and other controls remain a focus of their corporate culture.
- Troy employees’ use of an AI tool to enhance the fraudulent scheme adds a new consideration to enforcement actions, and it is important to keep in mind that DOJ’s Evaluation of Corporate Compliance Programs encourages companies to manage “emerging risks” and assess the potential impact on new technologies like AI to ensure compliance with applicable laws.9 Companies should ensure that their compliance programs appropriately assess any potential risks from the use of AI and other similar technologies and adequately add appropriate mitigating controls.
- DOJ continues to emphasize the importance of voluntary self-disclosure before conduct comes to the attention of DOJ.
- DOJ’s inability-to-pay analysis illustrates that, while its updated guidance reflects a commitment to enforcing the law with sensitivity to broader business impacts that can affect the greater public, DOJ remains intent on pursuing the maximum penalty permissible under the circumstances.
- Finally, given the gravity of the misconduct and the direct involvement of senior executives, the relatively short, 18-month duration of the NPA and its inclusion of a self-reporting mechanism underscore DOJ’s broader white-collar enforcement philosophy to balance corporate accountability with reduced burdens on businesses, particularly when they recognize what went wrong and take steps to prevent reoccurrence. The resolution highlights the critical importance of full, early cooperation and the implementation of timely, robust remedial measures—key factors in aligning with DOJ’s intent to prosecute wrongdoing while also encouraging ethical business practices and rewarding meaningful engagement with its investigations. While Troy obtained a 20% discount off the bottom of the Sentencing Guidelines range, its failure to fully satisfy DOJ’s cooperation expectations prevented the company from receiving the maximum discount of 75% under the CEP.
Footnotes
