First Healthcare Non-Prosecution Agreement Under Revised DOJ Corporate Enforcement Policy: Key Takeaways

The Department of Justice’s recent non-prosecution agreement (NPA) with a Medicare Advantage company marks a first-of-its-kind healthcare resolution under the revised Corporate Enforcement Policy (CEP) — and the first to involve misconduct facilitated by artificial intelligence. The NPA is one of two corporate criminal resolutions executed by the Health Care Fraud Unit in 2025 to date and the first healthcare resolution by the Criminal Division this year. As such, it provides insights into the DOJ’s application of the CEP and highlights the DOJ’s continued focus on Medicare Advantage fraud, evolving expectations around self-disclosure and cooperation, and emerging scrutiny of AI-driven compliance risks.

As healthcare organizations increasingly integrate technology into their operations, this resolution serves as a timely reminder that strong governance, transparent engagement with regulators and proactive compliance remain essential in navigating today’s enforcement landscape.

Summary of Non-Prosecution Agreement With Troy Health

On August 20, 2025, the DOJ announced Troy Health, Inc. (d/b/a Troy Medicare) agreed to (i) pay approximately $1.4 million, (ii) enter into an 18-month NPA, and (iii) admit to and agree with allegations that the company engaged in a scheme to commit healthcare fraud and identity theft — facilitated in part through the use of a proprietary AI tool — to enroll beneficiaries in Troy’s Medicare Advantage plan.

• Admissions to Covered Conduct

  Troy admitted that, between October 2020 and December 2022, it engaged in inappropriate tactics to obtain personal identifying and sensitive information about Medicare beneficiaries and enroll them in Troy’s Medicare Advantage plan without their knowledge or consent.

  To facilitate the scheme, Troy obtained customer lists from its network of contract pharmacies in various ways, with and without the pharmacies’ direct participation. One overt way involved payments in exchange for pharmacies taking “actions” in Troy’s AI platform, Troy.ai., one of which DOJ expressly identified: per-member payments for submitting “leads” to Troy through the platform. Troy also paid pharmacies for permission to send “affiliation letters” to their customers and to perform “win back” calls to customers who had left Troy’s insurance plan. Additionally, sales representatives accessed pharmacies’ customer lists without their participation by logging into a software installed at the pharmacies, which had been created by a separate company owned by a Troy executive and was also used at Troy.

  Troy’s sales representatives used these customer lists to make false or misleading, and apparently unsolicited, calls to Medicare beneficiaries, in violation of Medicare Advantage regulations. For example, the representatives used call scripts falsely identifying themselves as calling on behalf of the affiliated pharmacies, and they also did not disclose that beneficiaries who enrolled in Troy would necessarily have to leave (i.e., be disenrolled from) their existing health plan. The Troy sales employees also avoided making calls on recorded lines, including by using personal phones or pharmacy phones, and falsely documented these calls as “face to face” meetings.

  Between January 2022 and March 2022, Troy’s employees also used these pharmacy customer lists to enroll Medicare beneficiaries in Troy’s Medicare Advantage plan without their knowledge or consent. Troy enrolled the patients both manually and through auto-enrolling large batches of patients at a single time (including in one instance around 300 patients in one day). During the same period, the Centers for Medicare and Medicaid Services (CMS) identified the spike and received complaints from beneficiaries, leading CMS to instruct Troy to use a script to make verification calls to the beneficiaries (i.e., confirm their desire to enroll with Troy). Certain Troy representatives instead used the calls to welcome the patients to the plan. Record evidence also included Troy sales representatives exchanging text messages about the verification calls, in which they admitted to enrolling patients without their consent.

• Application of the Revised CEP

  On May 12, 2025, the DOJ Criminal Division released a revised CEP. Under Part I of the CEP, prosecutors are instructed to provide declinations (no longer just a presumption of a declination) with disgorgement/forfeiture and restitution/victim compensation to companies that voluntarily self-disclose misconduct to the Criminal Division, fully cooperate, timely and appropriate remediate, and lack aggravating circumstances. Part II applies to “near miss” situations where the company makes a good-faith self-disclosure to the DOJ, fully cooperates and timely remediates, but either does not qualify as a voluntary self-disclosure or has aggravating circumstances warranting a criminal resolution. Under Part II, prosecutors shall provide an NPA, allow a term length of fewer than three years, not require an independent compliance monitor, and provide a reduction of 75% off the low end of the U.S. Sentencing Guidelines. The CEP’s final section, Part III, applies to companies that met some but not all factors in Part I, and gives prosecutors discretion to determine the appropriate resolution, provided that the Criminal Division may not recommend a fine reduction of more than 50%.

  Troy received an NPA pursuant to Part III of the CEP. The NPA states that Troy “did not receive voluntary self-disclosure pursuant to the [CEP] or pursuant to the [U.S. Sentencing Guidelines] because it did not disclose to the Criminal Division the conduct described in the Statement of Facts.”[1] Additionally, the NPA explains that the “Company received credit for its cooperation” pursuant to the U.S. Sentencing Guidelines and the CEP, and includes various aspects of its cooperation (e.g., timely updates based upon its internal investigation, making witnesses available). However, the press release also notes that Troy’s “cooperation was not as effective as it otherwise could have been, especially during the early stages of the [DOJ’s] investigation where [Troy] failed to adequately preserve and produce certain documents and evidence.” The DOJ press release also highlights that Troy “at times, took actions that were inconsistent with full cooperation.”[2]

  Further, the NPA provides that Troy “also received credit pursuant to the CEP because it engaged in extensive and timely remedial measures.” These measures included replacing the CEO, censuring the chief pharmacy officer, prohibiting certain sales personnel from enrolling members by telephone, and hiring a new director to oversee sales personnel. New compliance measures to guard against new member enrollment were also implemented. Consequently, the DOJ provided a reduction of 20% off the bottom of the U.S. Sentencing Guidelines.

  Under Part III of the CEP, the DOJ retained discretion to determine that an 18-month NPA without an independent compliance monitor was an appropriate form of resolution. The NPA explained that the DOJ entered into this resolution “based on the individual facts and circumstances presented by this case and the Company,” which included, in addition to the factors noted above, the nature and seriousness of the offense, the company’s lack of recidivism, and other concessions and obligations agreed to by Troy. The NPA also acknowledges that Troy’s forfeiture was capped at $1.43 million following an independent, inability-to-pay assessment, including a determination that a greater resolution amount within 90 days of entering into the NPA would have threatened the continued viability of the company and the fact that the company was required by North Carolina to “maintain sufficient capital in reserve to pay any unpaid insurance claims and expenses on behalf of participants.”

• Key NPA Concessions and Obligations

  In the NPA, Troy acknowledged that the Statement of Facts constituted conspiracies to violate the Health Care Fraud Statute (18 U.S.C. § 1347) and Identity Theft Statute (18 U.S.C. § 1028(a)(7)), and accepted responsibility for those violations. Troy also agreed to continue to enhance its compliance program and internal controls and to self-report to the DOJ on the status of those enhancements. [3] Troy also committed to broad cooperation and voluntary self-disclosure obligations.

Reflections on the Resolution

1. Self-Reporting Dynamics

   Troy self-reported part of the covered conduct to CMS before the conduct “had come to the attention of” the DOJ, and this earned Troy cooperation credit. However, Troy did not receive voluntary disclosure credit under the CEP. This serves as a reminder that the CEP defines qualifying voluntary self-disclosure as disclosure “to the Criminal Division” or “good faith disclosure to another office or component” of the DOJ (see 9-47.120, Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy).

   Even if Troy had self-disclosed to the DOJ, Troy may have still lacked another key element for voluntary disclosure credit: a disclosure that is made without “an imminent threat of disclosure or government [DOJ] investigation” (see Appendix B, citing U.S.S.G. § 8C2.5(g)(1)). In this case, the Statement of Facts provides that CMS had identified a spike in enrollments following Troy’s fraudulent batch enrollments in 2022 and received a high volume of complaints from beneficiaries, some of whom complained that they were enrolled without their knowledge or consent. In response, CMS instructed Troy to call all newly enrolled beneficiaries to ensure they intended to enroll with Troy. The resolution documents do not make explicit when the Troy-CMS contact occurred, relative to CMS’s receipt of beneficiary complaints, but if Troy’s outreach occurred amidst beneficiary complaints to a government agency and the company was on notice of such reports, the DOJ might have viewed the disclosure as having been made, at least in part, under the threat of disclosure or imminent investigation. In the past, an “imminent threat of disclosure” was generally tied to likely publicity, a specific whistleblower or the like. Here, complaints to another agency or even data analytics are the sources of an imminent threat of disclosure.

2. Broad Cooperation and Self-Disclosure Obligations

   Troy agreed to cooperate with ongoing investigations of the conduct described in the NPA or the Statement of Facts and “other conduct under investigation by” the Criminal Division, Fraud Section and the U.S. Attorney’s Office for the Western District of North Carolina (the Offices) until such matters are concluded or the end of the NPA. Troy also agreed to cooperate, at the request of the Offices, with “other domestic or foreign law enforcement and regulatory authorities and agencies in any investigation of the Company, its affiliates, or any of its present or former offices, directors, employees, agents, and consultants, or any other party, in any and all matters relating to the conduct … and other conduct under investigation by the Offices or any other component” of the DOJ until the end of the NPA. Therefore, for the relevant time periods, Troy is obligated to cooperate with investigations into any type of conduct, even if unrelated to its healthcare fraud and identity theft violations, and with any law enforcement or regulatory agency if requested by the Offices. The Health Care Fraud Unit’s other criminal resolution in 2025 contains the same broad obligations, and similarly broad obligations can be found in the unit’s last criminal resolution in 2016.

   As to voluntary self-disclosure, Troy is required to: (1) report to the Offices any “evidence or allegation of conduct that may constitute a violation of” the Health Care Fraud Statute, Identity Theft Statute or similar applicable laws, and (2) certify compliance with this provision. This self-disclosure obligation is arguably more expansive than that in the Health Care Fraud Unit’s other criminal resolutions in 2025 and 2016. The other 2025 resolution requires disclosures of evidence or allegations relevant to the investigations with which it cooperates, and imposes an obligation to disclose “reportable events,” defined as events that a reasonable person could consider a material violation of certain relevant laws after an appropriate review. The 2016 resolution requires reporting “evidence or allegations of actual or potential violations” of the Anti-Kickback Statute. Also, although these prior resolutions required each company to self-certify compliance with  disclosure obligations, only the Troy NPA contains a template self-certification form. The template certification makes clear that Troy must disclose information “identified through the Company’s compliance and controls program, whistleblower channel, internal audit reports, due diligence procedures, investigation process, or other processes.” Interestingly, there is no “credibility” threshold specified in its certification form.

3. Artificial Intelligence in Focus

   In its press release announcing the Troy resolution, the DOJ’s one-sentence summary of the matter emphasizes Troy’s use of its AI tool: “[Troy] has entered into a non-prosecution agreement with the Department of Justice to resolve a criminal investigation into a health care fraud and identity theft scheme involving the use of artificial intelligence and automation software to illegally obtain Medicare beneficiary information and fraudulently enroll beneficiaries into its Medicare Advantage plans.” It then quotes Assistant Attorney General Matthew Galeotti of the DOJ’s Criminal Division as saying, “Troy told low-income Medicare beneficiaries that it would use new technologies, including its proprietary artificial intelligence platform, to improve patient health outcomes. Instead, the company misused patient data to enroll beneficiaries in its Medicare Advantage plan without their consent.”

   Also emphasizing AI, the NPA explains Troy received cooperation credit for producing “information regarding the Company’s proprietary artificial intelligence platform, Troy.ai,” and for undertaking certain remediation efforts including “promptly suspending all functions within Troy.ai related to member referrals or recruitment.”

   The DOJ’s emphasis on Troy’s AI tool suggests that prosecutors viewed the use of AI to obtain beneficiary information for unauthorized beneficiary enrollment as a significant facet of this case, even though Troy obtained customer data in ways other than its AI platform. By emphasizing the role of AI, the DOJ is making it known that where it suspects companies or individuals have used AI to facilitate misconduct, the DOJ may devote considerable attention to investigating that aspect of the case.

4. Medicare Advantage and Healthcare Fraud as Enforcement Priorities

   The resolution papers also emphasize Troy’s violation of Medicare Advantage regulations. Though not expressly noted, the DOJ may have been referring to regulations that prohibit plans from providing false or misleading information to potential enrollees or from engaging in activities that could mislead or confuse or misrepresenting the plan organization (see 42 CFR § 422.2262(a)(1)(i), which prohibits plans from providing inaccurate or misleading information to current or potential enrollees; 42 CFR § 422.2262(a)(1)(iii), which prohibits plans from engaging in activities that could mislead or confuse or misrepresenting the plan organization). The DOJ may have also been referring to regulations that prohibit unsolicited telephone calls to potential enrollees who have not provided consent to be contacted (see 42 CFR § 422.2264(a)(2)(iv), which prohibits Medicare Advantage plans from making unsolicited telephone calls to potential enrollees who have not provided consent to be contacted).

   Medicare Advantage and healthcare fraud has been a False Claims Act enforcement priority for several years, and the current DOJ has continued that focus, as demonstrated by several developments in 2025, including this resolution with Troy. [4]

Conclusion

The Troy NPA underscores the DOJ’s continued focus on corporate healthcare fraud enforcement out of the Fraud Section and offers the first glimpse into how the revised CEP is being applied in practice. The resolution highlights the importance of timely self-disclosure to the DOJ itself, robust cooperation and meaningful remediation in securing favorable treatment, while also signaling the department’s growing scrutiny of how companies use emerging technologies like AI. Companies that interact with federal payors — particularly those operating in the Medicare Advantage space — should take careful note.