In November 2025, a federal jury convicted the CEO and clinical president of Done Global, Inc. on charges of conspiracy to commit drug distribution through telemedicine. It was the Department of Justice's first-ever criminal prosecution for drug distribution arising specifically from a telehealth operation. The case should be required reading for every telehealth provider, compliance officer, and platform operator in the country.
What Happened at Done Global
Done Global operated as a telehealth platform focused on ADHD treatment. At its peak, the company generated more than $100 million in revenue, connecting patients with providers who prescribed controlled substances — primarily Adderall and other Schedule II stimulants — through brief video consultations.
The DOJ's prosecution centered on systemic compliance failures. According to court filings, Done Global had no meaningful process for verifying patient identity. Providers were not confirming where patients were physically located during sessions. The company's internal systems did not cross-reference provider licensing against patient state of residence. In some cases, providers prescribed controlled substances to patients in states where they held no license at all.
The convictions reflect a deliberate failure to build the most basic compliance infrastructure. This was not a case of one bad provider — it was organizational.
Both defendants face up to 20 years in federal prison. Sentencing is pending.
Why This Goes Beyond Fraud
It would be a mistake to dismiss Done Global as an outlier fraud case. The prosecution's significance lies in what the DOJ chose to emphasize: infrastructure failures. Prosecutors did not focus solely on whether individual prescriptions were medically unjustified. They built their case around the absence of systems — no location verification, no licensing checks, no documentation processes that could withstand scrutiny.
This framing has implications for every telehealth organization. The DOJ is establishing a precedent that inadequate compliance infrastructure is not merely a regulatory gap. It can be the foundation of a criminal case. If your organization cannot demonstrate that it systematically verifies the legal basis for every telehealth encounter, the entire operation is exposed.
The Location Verification Problem
At the core of Done Global's failures was a deceptively simple issue: the company did not verify where patients were physically located when they received care. In telehealth, the patient's physical location at the time of the session determines which state's laws govern the encounter. A provider licensed in California treating a patient physically present in Texas must hold a valid Texas license — or be covered by an applicable interstate compact.
Without location verification, nothing else in the compliance chain works. License cross-referencing is meaningless if you don't know which state to check against. Audit trails are incomplete if they don't document verified patient location. Compact eligibility — PSYPACT, IMLC, NLC — cannot be applied if the patient's state is unknown or unconfirmed.
Done Global treated location as an afterthought. Federal prosecutors treated it as evidence of criminal intent.
A Broader Enforcement Pattern
The Done Global conviction did not happen in isolation. It arrived within a year of the largest healthcare fraud enforcement action in DOJ history. In 2025, the DOJ charged 324 defendants for approximately $14.6 billion in alleged healthcare fraud. Of those, 49 defendants were specifically tied to telehealth-related schemes.
The regulatory pressure extends beyond the DOJ:
- CMS tripled civil monetary penalty rates for healthcare fraud, with per-violation fines increasing from approximately $11,000 to over $33,000 in some categories.
- The OIG's 2025 work plan explicitly targets telehealth, with planned audits of prescribing patterns, location verification practices, and interstate licensing compliance.
- New Jersey classified unlicensed telehealth practice as a criminal offense, carrying 3 to 5 years of imprisonment — a significant escalation from the administrative penalties most states had previously relied on.
The pattern is unmistakable. The pandemic-era flexibility that allowed telehealth to scale rapidly is being replaced by an enforcement posture that demands documentation, verification, and accountability at every step.
Three Steps Every Provider Should Take Now
The Done Global case provides a clear roadmap of what regulators expect. Providers and organizations should focus on three areas immediately:
1. Verify Patient Location for Every Session
Patient location must be confirmed at the start of every telehealth encounter — not assumed from a home address on file. Patients travel. They work remotely from different states. A patient who registered with a New York address may be sitting in Florida when the session begins. The only compliant approach is real-time verification with documentation: GPS confirmation, IP geolocation as a secondary signal, and a recorded attestation in the session record.
2. Confirm Licensing and Compact Coverage
Once you know the patient's state, you need to confirm — in a documented, auditable way — that the treating provider is authorized to practice there. This means either a current, active license in that state or verified eligibility under an applicable interstate compact. PSYPACT covers psychology across 42 member jurisdictions. The IMLC covers physicians across 43 states. The NLC covers nurses across 41 states. But compact eligibility is not automatic — it requires specific credentials and enrollment. Your system must verify, not assume.
3. Build an Audit Trail That Can Withstand Scrutiny
If a regulator, insurer, or prosecutor examines your telehealth sessions, will your records demonstrate compliance? Every session should have a timestamped Compliance Verification Record documenting: the patient's verified location, the provider's licensing basis for that state, and the method of verification. If you cannot produce this documentation on demand, you have the same vulnerability that brought down Done Global.
The Cost of Inaction
The average fine for a single instance of practicing without proper state authorization is $11,665. For a provider conducting 20 cross-state sessions per week without proper verification, the annualized risk exposure exceeds $12 million. That calculation does not include criminal liability, license revocation, malpractice exposure, or the reputational damage that accompanies an enforcement action.
The Done Global conviction makes one thing clear: the DOJ views telehealth compliance failures not as administrative oversights but as potential criminal conduct. The standard of care for telehealth operations has permanently changed.
TeleVerify automates all three of the steps outlined above — real-time location verification, license and compact cross-referencing, and audit-ready documentation for every session. If you are building or operating a telehealth practice, these are problems worth solving before a regulator solves them for you.