The $1.8 Billion AI Lie: Deepfake Doctors, Spam Lawsuits, and the Company Sam Altman Wished He’d Built

MEDVi was supposed to be proof that AI could replace an entire company. Two brothers. $20,000. A projected $1.8 billion in revenue. Sam Altman called it a bet won. The New York Times called it the future of business. What nobody mentioned: the FDA warning letter, the 800+ fake doctor accounts, the deepfaked patient photos, the class action spam lawsuits, and 1.6 million patient records exposed in a data breach. This isn’t an AI success story. It’s a transparency crisis with a price tag.

The Origin Story the World Was Sold

On April 2, 2026, the New York Times published a profile of Matthew Gallagher, a self-taught entrepreneur from Los Angeles who built MEDVi, a GLP-1 telehealth startup, in two months flat. The company generated $401 million in sales in 2025, its first full year. It is now projecting $1.8 billion for 2026. Its entire headcount: Gallagher and his brother Elliot.

Gallagher used ChatGPT, Claude, Grok, MidJourney, and Runway to build the site, generate marketing content, and run customer service. He outsourced the actual medicine, the doctors, prescriptions, pharmacies, shipping, and compliance to CareValidate and OpenLoop Health. What MEDVi owned was the brand, the checkout page, and the ad machine.

The story was irresistible. OpenAI CEO Sam Altman had predicted in early 2024 that AI would produce a one-person, billion-dollar company. When the Times reached him for comment, Altman reportedly responded that it looked like he’d won the bet with his tech CEO friends, and that he “would like to meet the guy.” The internet exploded. Forbes, Inc., Fortune, everyone ran with it.

There was just one problem. Nearly everything underneath the headline was on fire.

What Nobody Talked About: A Timeline of Deception

MAY 2025: Futurism investigates MEDVi, finding AI-generated patient photos, deepfaked before-and-after weight loss images built from faces harvested from the internet, and fake Ozempic box imagery on the website. A real doctor listed on the site, Tzvi Doron, tells Futurism he has no association with MEDVi and demands to be removed.

NOVEMBER 2025: A class action lawsuit is filed against OpenLoop Health and Triad Rx, alleging that compounded oral tirzepatide tablets, one of MEDVi’s key product categories, have no scientifically demonstrated absorption mechanism. MEDVi is named as a platform in the OpenLoop network.

JANUARY 2026: OpenLoop Health suffers a cybersecurity breach. A threat actor claims access to 1.6 million patient records, including names, contact info, dates of birth, and medical information. MEDVi patients routed through OpenLoop may be affected.

FEBRUARY 2026: The FDA sends MEDVi a warning letter (Letter #721455) for misbranding compounded drugs. The agency flags claims like “Same active ingredient as Wegovy® and Ozempic®” as implying FDA approval that does not exist. MEDVi later attributes the flagged site to an affiliate, but the FDA letter is addressed directly to “MEDVi, LLC dba MEDVi.”

MARCH 2026: Dallas James v. Medvi LLC is filed in the Central District of California under California’s anti-spam statute, alleging MEDVi pays affiliates to send mass spam emails using spoofed domains, falsified headers, and deceptive subject lines. One exhibit shows an email sent from “147936572@kcjvjydhd.us” with a return address of “123 Wellness Blvd, Healthtown, USA.”

APRIL 2, 2026: The New York Times publishes its profile. None of the above is mentioned. Altman celebrates the story.

APRIL 3–8, 2026: Drug Discovery & Development, Business Insider, and Techdirt publish investigations documenting 5,000+ active Meta ads running under fabricated doctor personas, including “Professor Albust Dongledore” and “Dr. Richard Hörzgock.” Real doctors are removed from the site after reporters start asking questions.

The Times verified MEDVi’s revenue. It did not verify how that revenue was generated.

800 Fake Doctors on Facebook, And Nobody Checked

Multiple independent investigations have documented a sweeping pattern of fabricated medical personas across MEDVi’s advertising operation. A search of Meta’s Ad Library at the time of reporting returned more than 5,000 active ad campaigns mentioning or linking to MEDVi. Many ran under names presented as licensed physicians but linked to pages categorized as entertainment websites, clothing stores, or gospel musician profiles repurposed and rebranded.

Profiles like “Dr. Matthew Anderson MD” were tied to Angolan phone numbers. “Wade Frazer MD” dropped the “MD” after Business Insider inquired. The same AI-generated profile photo appeared across multiple pages simultaneously. Gemini watermarks, telltale signs of AI image generation, were visible on several profile pictures. Investigations found that none of the pages carried prominent disclosures at the time of review.

Source

DISCLOSURE GAP

MEDVi’s website contains a fine-print disclaimer: “Individuals appearing in advertisements may be actors or AI portraying doctors and are not licensed medical professionals.” This was buried at the bottom of the page. None of the individual Facebook ad pages reviewed by reporters carried similar disclosures. Gallagher told Business Insider that roughly 30% of MEDVi’s advertising ran through affiliates. None of those affiliate pages were found to carry prominent AI disclosures either.

This is not ambiguous. Using AI-generated personas dressed in medical credentials to sell prescription medications to real patients is deceptive. The FTC has stated that advertisers must have reasonable oversight programs for affiliates, and flagged health-related marketing as requiring more supervision than lower-risk categories. MEDVi’s stated policy is to provide disclosure or remove AI-generated doctor portrayals. The evidence from multiple newsrooms suggests that policy was not enforced.

The AMA has been sounding this alarm for months. CEO John Whyte, MD, MPH, wrote in STAT News in February 2026 that deepfake doctors represent a direct threat to public health. The AMA adopted policy in late 2025 calling for federal legislation against deepfake medical impersonation, warning that such content undermines the patient-physician relationship and steers patients toward dangerous purchases. Whyte argued that without regulatory intervention, these deepfakes will deepen a trust crisis at a moment when public confidence in medical institutions is already declining.

MEDVi is a case study in exactly what the AMA warned about.

The Spam Machine Behind the Revenue

MEDVi has been sued at least three times in the past year by individuals alleging the company and its affiliate marketers violated spam laws through unsolicited texts and emails. One suit was voluntarily dismissed. Two remain pending.

The most detailed case, Dallas James v. Medvi LLC (filed March 2026, Central District of California), alleges a large-scale email spam operation. Court exhibits show emails sent from randomized domains designed to evade spam filters, with subject lines rendered in unicode characters to bypass detection. The physical address listed in one email was “123 Wellness Blvd, Healthtown, USA”, an address that does not exist. The complaint alleges over 100,000 spam emails per year to class members and seeks $1,000 per violating email.

A separate breach-of-contract lawsuit from one of MEDVi’s own affiliate marketing partners, The Offer v. MEDVi, landed in Los Angeles Superior Court in December 2025. The affiliate sued for over $1 million in unpaid commissions, with a paper trail showing the per-lead economics of the operation. A judge granted right-to-attach orders against both MEDVi and Gallagher personally. The two cases are two views of the same pipeline: the spam emails that reached consumers and the affiliate payments that generated them.

BY THE NUMBERS

$401 Million

MEDVi’s reported 2025 revenue, verified by the New York Times, with a 16.2% net profit margin (~$65M). The company projects $1.8B in 2026 sales. The question isn’t whether the revenue is real. The question is how much of it was generated through practices that are now the subject of federal and state litigation.

The FDA Warning Nobody Covered

Six weeks before the Times profile, on February 20, 2026, the FDA sent MEDVi a warning letter for misbranding the compounded drugs driving its revenue. The letter cited claims on MEDVi’s site that falsely suggested MEDVi was the compounder of the semaglutide and tirzepatide it sold, and flagged marketing language implying FDA approval that didn’t exist. The FDA warned that failure to correct could lead to seizure or injunction.

MEDVi later claimed the flagged site belonged to an affiliate. But the letter is addressed directly to MEDVi, LLC, uses the company’s own email address, and references MEDVi-branded claims. This is a pattern: when scrutiny arrives, MEDVi points to affiliates. When revenue is counted, those same affiliates are part of the operation.

The broader GLP-1 telehealth space is under increasing regulatory pressure. The FDA resolved the semaglutide and tirzepatide injection shortages in late 2024 and early 2025, narrowing the legal basis for compounding. In December 2025, a bipartisan coalition of 35 attorneys general wrote to Meta about deceptive, AI-generated weight-loss ads flooding the platform. The window MEDVi’s business model depends on is closing.

1.6 Million Patient Records Exposed

In January 2026, OpenLoop Health, the clinical infrastructure partner that handles MEDVi’s doctors, prescriptions, and compliance, was breached by a threat actor who claimed to have exfiltrated records from approximately 1.6 million patients. The compromised data includes names, addresses, email addresses, dates of birth, and medical information. OpenLoop confirmed at least 68,160 affected individuals in Texas through attorney general filings and now faces multiple class action lawsuits.

The breach happened at OpenLoop, not at MEDVi directly. But every MEDVi patient whose care was routed through OpenLoop may be affected. Patients who signed up through fabricated doctor Facebook pages now have their real medical data exposed in a breach at a company they may never have heard of. That’s the cost of opaque infrastructure in healthcare.

The RICO Case: “Modern-Day Snake Oil”

The full scope of what MEDVi was selling (and through whom) is laid bare in the class action complaint Darby Day v. OpenLoop Health Inc., Triad RX Buyer LLC and Triad RX, Inc. (Case No. 25CV01418, D. Del., filed November 20, 2025). The complaint, brought by the law firm Chimicles Schwartz Kriner & Donaldson-Smith LLP, does not merely allege deceptive advertising. It invokes the Racketeer Influenced and Corrupt Organizations Act (RICO), alleging that OpenLoop, Triad Rx, and their network of consumer-facing telehealth storefronts (including MEDVi) operated as an association-in-fact enterprise to manufacture, distribute, and profit from an unapproved, pharmacologically inert oral tirzepatide pill.

The complaint is blunt in its characterization: it describes the oral tirzepatide product as “modern-day snake oil”, a mass-produced compound with no demonstrated mechanism of absorption or efficacy, marketed to consumers as a legitimate alternative to FDA-approved injectable GLP-1 medications.

The scientific basis is extensively documented: tirzepatide is a large peptide molecule exceeding 4,800 Daltons in molecular weight, making it susceptible to rapid enzymatic degradation in the gastrointestinal tract when taken orally. No peer-reviewed study has demonstrated any measurable systemic bioavailability from a compounded oral tirzepatide formulation. The complaint notes that even the only FDA-approved oral GLP-1 drug, Rybelsus (oral semaglutide), required a specialized absorption enhancer called SNAC to achieve roughly one percent bioavailability — and that technology does not translate to tirzepatide.

The complaint also reveals the full architecture of the operation. MEDVi was not a standalone company that happened to use OpenLoop as a vendor. According to the filing, MEDVi was one of dozens of nearly identical telehealth storefronts (including Fridays, FuturHealth, Remedy Meds, Diddly Health, Gala GLP-1, Remmy, Lovely Meds, and others) all running on OpenLoop’s white-label infrastructure, all sharing the same provider network, and all funneling customers to the same compounding pharmacy, Triad Rx. The complaint alleges that these consumer-facing websites serve primarily as lead-generation portals that conceal their common origin while creating a false impression that oral tirzepatide is widely accepted and prescribed.

The named plaintiff, Darby Day of North Carolina, paid $279.99 for a one-month supply of oral tirzepatide through MEDVi. He alleges he never spoke with, videoconferenced, or otherwise consulted a licensed medical professional at any point in the process. His invoice bore MEDVi’s name but listed OpenLoop’s headquarters as the billing address. His medication arrived from Triad Rx. He took it as directed for over a week, experienced no physiological effects, and cancelled. The complaint brings six counts: two RICO counts (substantive and conspiracy), violations of the North Carolina Unfair and Deceptive Trade Practices Act, common law fraud, unjust enrichment, and violations of consumer protection statutes across fourteen states. It seeks treble damages, attorneys’ fees, disgorgement, and injunctive relief.

This is the case the New York Times profile didn’t mention. It was filed six weeks before the article ran.

The AI Disclosure That Wasn’t

MEDVi’s website does contain an AI disclosure. Buried in the footer, it reads: “Certain materials on this website, including text, images, and other media, may be generated or enhanced using artificial intelligence technologies. No representation or warranty is made regarding the accuracy, completeness, or reliability of such content.”

That is not transparency. That is a legal hedge.

Transparency means telling a patient, clearly and prominently, that the doctor endorsing their weight-loss medication is not a real person. It means disclosing that before-and-after photos were generated by AI using faces taken from strangers on the internet. It means being upfront that the chatbot handling customer service has fabricated prices. It means not hiding behind the word “may.”

“The foundation of the patient-physician relationship is built on accurate information, trust, professionalism, and authenticity — all of which are under direct threat from deepfake content.” — John Whyte, MD, MPH, CEO, American Medical Association

The FTC has flagged that health-related marketing using AI-generated content requires more supervision, not less. The EU AI Act, which begins enforcement in August 2026, classifies AI systems used in healthcare as high-risk and mandates transparency, human oversight, and rigorous documentation. The Colorado AI Act, effective June 2026, requires deployers of high-risk AI systems to disclose their use to consumers and implement risk management practices.

MEDVi would fail every one of those standards.

What This Actually Proves About AI

Sam Altman said MEDVi proved his prediction. He’s right — just not in the way he intended.

MEDVi proves that AI can scale deception at a speed regulators cannot match. It proves that a two-person operation can generate 800 fake doctor personas, flood a platform with 5,000 ad campaigns, send hundreds of thousands of spam emails through disposable domains, and reach $401 million in revenue before any enforcement action lands. It proves that AI-powered business can outpace AI-powered accountability by a wide margin.

It also proves that the current system is broken. No independent certification was required before MEDVi launched. No transparency standard was applied to its advertising. No registry existed where a consumer could check whether the company’s AI practices had been verified by anyone other than the company itself. The New York Times verified the revenue. Nobody verified the ethics.

THE TRUST GAP

81%

Of consumers say they don’t trust companies to use AI responsibly.
MEDVi shows exactly why. And 70% of consumers can no longer tell if what they see online is AI-generated, which is precisely the asymmetry companies like MEDVi exploit.

The Accountability Era Is Here

The MEDVi case is not an edge case. It is what happens at scale when AI tools are deployed in a regulated industry with no transparency infrastructure. The fake doctors, the spam, the deepfakes, the misbranding, the data breach, none of these required new technology to prevent.

They required accountability. Standards. Disclosure. Oversight.
The things that exist in every other regulated sector and are conspicuously absent from AI-powered marketing.

The EU AI Act is coming. The Colorado AI Act is coming. The FTC is already enforcing. Thirty-five attorneys general have already written to Meta about exactly the kind of advertising MEDVi ran. The AMA is calling for federal legislation on deepfake medical impersonation. The regulatory walls are going up.

MEDVi is what happens when nobody checks. SiteTrust exists so that consumers, regulators, and partners have somewhere to check.