US Telehealth Risk Landscape: Regulatory, Financial, and Operational Threats | Renatus
RESEARCH RISK ASSESSMENT
Healthcare & Life Sciences · US · 10 Apr 2026

US Telehealth Risk Landscape: Regulatory,
Financial, and Operational Threats

US telehealth is not a growth story with risks at the edges — it is a market where the risks are structural and several are already materialising.

The DEA has extended controlled-substance prescribing flexibilities through December 31, 2026[Federal Register], but the pending Special Registrations rule would impose platform-level licensing requirements on direct-to-consumer prescribing businesses for the first time. CMS finalized a 3.85% physician fee schedule increase for 2026[CMS], but the broader telehealth reimbursement framework depends on Congressional extensions running only through 2027 — after which a cliff cuts revenue for home-based services across rural health clinics and hospital outpatient programs.

Three forces are compressing this market simultaneously: regulatory tightening on controlled-substance prescribing, reimbursement uncertainty beyond 2027, and a cybersecurity environment where 180-plus ransomware attacks hit healthcare providers in 2024 and a 40% year-on-year rise in telehealth-specific breaches was recorded in 2025[Deloitte]. The companies that built fast growth on ADHD stimulant prescribing and compounded GLP-1 sales — Cerebral, Done Global, Hims & Hers — are each navigating active or concluded enforcement actions. For investors, the question is not whether these risks are real. It is which ones are already affecting cash flows, and which signals would confirm the environment is getting worse.

DEA flexibility extension deadline Dec 31, 2026
Fourth temporary extension — no permanent rule yet finalized
  1. The DEA's controlled-substance prescribing window closes at end of 2026 with no permanent replacement in place. The fourth temporary extension (Federal Register 2025-24123) preserves telemedicine prescribing flexibilities only through December 31, 2026[Federal Register]; a pending Special Registrations rule would require platform-level DEA registration for direct-to-consumer telehealth businesses — a structural cost and compliance burden with no precedent.

  2. Telehealth reimbursement for home-based services faces a hard cliff in January 2028. CMS confirmed that RHC and FQHC non-behavioral telehealth extensions and hospital outpatient remote billing run only through December 31, 2027[CMS]; if Congress does not act, reimbursement for home-based visits reverts to pre-pandemic geographic restrictions.

  3. Cybersecurity costs are already affecting telehealth revenues — this is not a future risk. Deloitte recorded 127 telehealth-specific breach incidents in 2025, a 40% year-on-year increase, with an average remediation cost of $12.4M per breach[Deloitte]; Statista data shows 22% user churn following breach disclosures[Statista].

  4. GLP-1 prescribing via telehealth is under active DOJ and FDA enforcement — not future regulatory risk. The US Health Department referred Hims & Hers to the Department of Justice for potential violations of the Federal Food, Drug and Cosmetic Act related to compounded GLP-1 marketing[JAMA Health Forum]; no settlement amount has been disclosed but enforcement is active.

1. Regulatory Risk

The DEA's prescribing window closes at end of 2026 — and no permanent rule is ready.

Every direct-to-consumer telehealth business built on controlled-substance prescribing is operating on borrowed time.

The legal foundation for remote prescribing of controlled substances — stimulants for ADHD, buprenorphine for opioid use disorder, benzodiazepines — is a temporary DEA waiver first issued during COVID-19 and extended four times since. The fourth extension (Federal Register 2025-24123, published December 31, 2025) runs through December 31, 2026[Federal Register]. After that date, without a permanent rule, practitioners would legally revert to the Ryan Haight Act requirement of an in-person evaluation before any controlled substance can be prescribed via telemedicine.

DEA Telemedicine Prescribing Framework: Key Dates
Regulatory milestones, 2020–2027
Mar 2020
COVID-19 DEA waivers activated
Ryan Haight Act in-person requirement suspended; telemedicine prescribing of Schedule II–V controlled substances permitted without prior exam.
Dec 2025
Fourth temporary extension published
Federal Register 2025-24123 extends prescribing flexibilities through December 31, 2026. No permanent rule finalized.
Jan 2025
Special Registrations proposed rule released
DEA proposes three-tier registration system including a Telemedicine Platform Registration targeting direct-to-consumer controlled-substance platforms. No finalization date confirmed.
Mar 2025
OUD telemedicine rule effective
DEA-registered providers may prescribe Schedule III–V substances for opioid use disorder via telemedicine including phone, with PDMP review required. Effective date delayed from February 18 due to Presidential Regulatory Freeze.
Dec 31, 2026
Hard prescribing deadline
Current flexibility expires. Without a permanent rule or fifth extension, Ryan Haight Act in-person requirement resumes. All direct-to-consumer controlled-substance workflows face disruption.

The DEA released a proposed Special Registrations rule in January 2025 that would create three new registration categories: a standard Telemedicine Prescribing Registration for Schedule III–V substances, an Advanced registration for specialists handling Schedule II–V, and — most significantly — a Telemedicine Platform Registration for direct-to-consumer businesses that advertise controlled substances, tie to pharmacies, or maintain their own prescribing guidelines[Bradley]. This last category would apply directly to companies like Cerebral, Done Global, and Hims & Hers. No finalization date has been confirmed.

The enforcement history makes the stakes concrete. Cerebral reached a $3.75M DOJ settlement in 2024 and Done Global a $19.75M settlement in 2024, both for alleged improper ADHD stimulant prescribing without in-person evaluations. The proposed platform registration would institutionalise compliance requirements that neither company met. Investors should treat December 31, 2026 as a hard operational deadline: if no permanent rule is finalized by then, every controlled-substance prescribing workflow in direct-to-consumer telehealth must either secure in-person evaluation infrastructure or halt.

2. Reimbursement Risk

CMS extended telehealth reimbursement to 2027 — but the cliff after that is real and unresolved.

The 3.85% fee schedule increase masks a structural problem: the entire home-based telehealth framework expires in January 2028.

CMS finalized the CY 2026 Medicare Physician Fee Schedule on November 4, 2025, effective January 1, 2026[CMS]. The headline figure — a 3.85% overall physician reimbursement increase, the first after five consecutive years of cuts — was driven by a statutory 2.50% one-year boost and budget neutrality adjustments. For telehealth specifically, the originating site facility fee (HCPCS Q3014) was set at 80% of the lesser of actual charge or $31.85 for CY 2026[CMS PFS Rule]. CMS also permanently removed frequency limits on nursing home and hospital telehealth visits — a meaningful win for providers — and added group behavioral counseling for obesity and multiple-family group psychotherapy to the reimbursable telehealth services list.

Key Telehealth Reimbursement Policies: Status and Expiry
CMS telehealth coverage framework, 2026
CY 2026 Medicare Physician Fee Schedule (In force)

3.85% overall physician reimbursement increase, effective January 1, 2026. Originating site fee set at 80% of actual charge or $31.85. Frequency limits on nursing home/hospital telehealth visits permanently removed.

Effective
January 1, 2026
Statutory boost
2.50% one-year increase
Expiry
Annual renegotiation
RHC/FQHC Non-Behavioral Telehealth Extension (Extended — expires 2027)

Non-behavioral health telehealth for Rural Health Clinics and Federally Qualified Health Centers extended through December 31, 2027. Reverts to pre-pandemic geographic restrictions if Congress does not act.

Current status
Extended via legislation
Expiry
December 31, 2027
Cliff risk
High — no automatic renewal
Hospital Outpatient Remote Billing (Therapy/Diabetes/Nutrition) (Extended — expires 2027)

Remote billing by hospital staff for therapy, diabetes self-management training, and nutrition therapy permitted through December 31, 2027. Ends January 1, 2028 without Congressional action.

Categories
Therapy, diabetes, nutrition
Expiry
December 31, 2027
Impact
Significant volume risk for hospital-affiliated telehealth
FQHC/RHC Behavioral Health (Permanent) (Permanent)

Behavioral health services via telehealth permanently reimbursed under All-Inclusive Rate or Prospective Payment System at RHCs and FQHCs. Not subject to the 2027 cliff.

Status
Permanently codified
Payment basis
AIR or PPS
Risk
Low for behavioral health specialists

The structural problem sits past 2026. RHC and FQHC non-behavioral health telehealth extensions, hospital outpatient remote billing for therapy, diabetes self-management, and nutrition therapy all run only through December 31, 2027[Sidley]. If Congress does not act, home-based telehealth services revert to pre-pandemic geographic restrictions from January 1, 2028. A 2025 study found that during a 17-day government shutdown, fee-for-service telemedicine visits fell 24% nationally — and more than 40% in some states[PMC]. That is the directional signal for what a structural reimbursement rollback looks like. For telehealth companies where home-based and behavioral health visits are the core volume, the 2028 cliff is an existential planning question, not a background policy consideration.

The Medicaid dimension compounds this. McKinsey analysis shows Medicaid segment EBITDA across the healthcare industry fell from $14 billion in 2023 to $3 billion in 2024, driven by adverse selection following the end of the public health emergency and lagging rate adjustments[McKinsey]. That trajectory is projected to turn negative in 2025–2026 as enrollment declines and uncompensated care grows. Telehealth companies whose patient populations skew toward Medicaid — including Amazon Clinic, Cerebral, and Ro — face the double pressure of falling covered volumes and rate uncertainty.

3. Operational Risk

Cybersecurity is now a revenue risk, not just a compliance cost.

A 40% rise in telehealth breaches in 2025 means breach remediation is already appearing in income statements.

Deloitte recorded 127 telehealth-specific breach incidents in 2025 — a 40% year-on-year increase — with an average remediation cost of $12.4M per breach[Deloitte]. That figure covers direct remediation costs only. Statista tracked a 22% user churn rate following breach disclosures in telehealth platforms[Statista]. For a platform with one million active users paying $50 per month, a 22% churn event is a $132M annualised revenue loss — before litigation, regulatory fines, or reputational discount on future customer acquisition costs.

Telehealth Cybersecurity: Top Operational Risks by Severity
Ranked by confirmed financial and operational impact, 2025
1
Third-party supply chain compromise
65% of 2025 telehealth breaches originated from vendor flaws (KPMG). The Change Healthcare/Optum attack halted 70% of US telehealth claims processing for two weeks, causing an estimated $872M in direct losses and an 18% revenue decline at Optum Virtual Care in Q1 2025.
2
FTC Health Breach Notification Rule enforcement
12 HBNR enforcement actions against telehealth platforms in 2025, up from 4 in 2024. Average fine: $6.8M. A proposed 2026 rulemaking (Docket R-911002) would add mandatory vendor audits — raising compliance costs further.
3
User churn following breach disclosure
Statista recorded 22% user churn following breach disclosures at telehealth platforms in 2025. Combined with average $12.4M remediation costs (Deloitte), a single breach represents a compound revenue and capital event.
4
Authentication infrastructure failure
A Twilio Authy breach propagated through Hims & Hers and Teladoc authentication systems, exposing 2FA tokens for 1.5 million sessions. SMS-based authentication remains the dominant second-factor method across the sector.
5
Ransomware targeting behavioral health records
Behavioral health and psychiatric records carry the highest regulatory exposure under HIPAA — and the highest ransom value on dark web markets. 180-plus ransomware attacks hit US healthcare providers in 2024, with an average ransom demand of $900,000.
6
AI supply chain attacks (emerging)
KPMG projects a 25% increase in AI-mediated supply chain attacks on health IT platforms in 2026. Telehealth platforms integrating AI triage, clinical decision support, and predictive scheduling are expanding their attack surface without equivalent security maturity.

The attack surface is not the telehealth platforms themselves — it is their supply chains. KPMG found that 65% of 2025 telehealth incidents originated from third-party flaws, including Software Bill of Materials non-compliance[KPMG]. The Change Healthcare disruption — the ALPHV/BlackCat ransomware attack on Optum's claims processing infrastructure — halted approximately 70% of telehealth claims processing for two weeks and caused an estimated $872M in direct losses, with Optum Virtual Care reporting an 18% revenue decline in Q1 2025[UnitedHealth 10-Q]. That is the cost of a single third-party failure. Telehealth platforms with three to ten major vendor dependencies — EHR systems, SMS authentication providers, cloud infrastructure, pharmacy networks — carry compound exposure from each.

FTC enforcement under the Health Breach Notification Rule (HBNR) has accelerated alongside the breach rate. Twelve telehealth HBNR cases were filed in 2025, up from four in 2024, with average fines of $6.8M[FTC]. A proposed FTC rulemaking (Docket R-911002, March 2026) would require stricter third-party vendor audits as a condition of compliance[FTC NPRM]. For investors, this means cybersecurity is no longer separable from governance and regulatory exposure: a breach now triggers simultaneous remediation costs, user churn, FTC fines, and potential class action settlements.

4. Enforcement Risk

GLP-1 telehealth is under active DOJ and FDA enforcement — not future risk.

Hims & Hers has been referred to the DOJ. The compounded GLP-1 playbook is under direct legal attack.

The most commercially significant enforcement risk in US telehealth right now is not ADHD stimulants — it is GLP-1 weight-loss prescribing. Telehealth platforms built a high-revenue business model on prescribing and, in some cases, compounding semaglutide and tirzepatide during the branded drug shortage. Hims & Hers marketed compounded GLP-1 products in a manner that the FDA concluded implied equivalence with FDA-approved clinical trial comparators[JAMA Health Forum]. The US Health Department referred Hims & Hers to the Department of Justice for potential violations of the Federal Food, Drug and Cosmetic Act. No settlement amount has been disclosed and the enforcement timeline is open.

Named Enforcement Actions: Telehealth Companies, 2024–2026
Active and concluded regulatory and legal proceedings
Hims & Hers (Active enforcement)
Regulator
FDA + DOJ referral
Allegation
Deceptive marketing of compounded GLP-1 products implying equivalence with FDA-approved comparators
Status
Referred to DOJ by US Health Department — no settlement disclosed
Revenue at risk
GLP-1 prescribing is a material revenue line; amount undisclosed
Cerebral (Settled 2024)
Regulator
DOJ
Allegation
Improper ADHD stimulant (Schedule II) prescribing without in-person evaluations
Settlement
$3.75M — 2024
Ongoing risk
Platform registration requirement under proposed DEA Special Registrations rule
Done Global (Settled 2024)
Regulator
DOJ
Allegation
Improper ADHD stimulant prescribing; controlled substance diversion flagged in DEA audit
Settlement
$19.75M — 2024
Post-settlement
Platform operationally restructured; rebranded as Done Health
Ro / Other CPOM platforms (Under scrutiny)
Risk type
Corporate Practice of Medicine (CPOM) prohibitions
Legal structure
Licensed physician PC nominally owns medical group; platform provides management services
Scrutiny level
Active legal review — no named case or AG action confirmed in sources
Potential outcome
Forced restructuring, equity dilution, or market exit from high-CPOM-risk states

The structural legal risk extends beyond Hims & Hers. Platforms including Ro and others operating under Corporate Practice of Medicine (CPOM) exemptions — where licensed physicians nominally own medical groups while the platform provides management services — face ongoing scrutiny over whether platforms exert excessive influence over clinical decisions[JAMA Health Forum]. No specific CPOM case names or state attorney general actions are confirmed in available sources, but the legal theory is active and the enforcement infrastructure exists in every state where CPOM prohibitions apply.

The earlier ADHD enforcement actions set the financial template. Cerebral paid $3.75M to settle DOJ allegations of improper stimulant prescribing without in-person evaluations; Done Global paid $19.75M in a 2024 settlement. Those are precedent-setting amounts — not deterrents. For GLP-1 enforcement, which involves marketing claims to a much larger consumer audience and compounding practices that bypass FDA drug approval, the scale of potential liability is substantially higher. Investors in platforms with significant GLP-1 revenue should treat the Hims DOJ referral as a sector-level signal, not a company-specific idiosyncratic risk.

5. Financial Risk

Telehealth valuations are compressing as EBITDA declines and reimbursement shortfalls widen.

The post-pandemic margin recovery never arrived. Provider EBITDA is growing at 1% a year while costs run faster.

McKinsey data shows US healthcare provider EBITDA as a share of national health expenditure fell from 11.2% in 2019 to 8.9% in 2024, with a further decline projected to 8.7% by 2027[McKinsey]. Provider EBITDA is growing at roughly 1% a year — well below the inflation rate for clinical labour and technology costs. For telehealth companies, this is the macro backdrop against which every other risk operates: the industry is not generating the margins that would fund compliance upgrades, cybersecurity investment, or geographic expansion.

US Healthcare EBITDA as Share of National Health Expenditure
Percentage of NHE, 2019–2027 (2025–2027 projected)
11 10 9 9 8 2019 2020 2021 2022 2023 2024 2025P 2026P 2027P
EBITDA as % of NHE

The Medicaid segment is in sharper distress. Medicaid EBITDA across the sector fell from $14 billion in 2023 to $3 billion in 2024 and is projected to turn negative in 2025–2026[McKinsey]. The mechanism is adverse selection following the end of the COVID-19 public health emergency: sicker patients remained enrolled while healthier members disenrolled during Medicaid redeterminations, raising per-member costs without corresponding rate adjustments. Nine to ten million Medicaid members were lost through this process, shrinking the covered patient pool for Medicaid-reliant telehealth services.

Private digital health funding tightened sharply after 2022, and the recovery has been slow. Rising interest rates raised the cost of capital for growth-stage telehealth businesses that had not yet reached profitability. No Tier 1 figures for 2025 private round volumes or valuation multiples are available in the research — this gap is flagged explicitly and limits confidence in any specific funding figure. What is confirmed: the macro environment that supported $29 billion in annual digital health investment in 2021 does not exist in 2026, and public market telehealth valuations have compressed in line with the broader growth-to-profitability re-rating.

6. Emerging Risk

State AI regulation and GLP-1 market dynamics are the next wave — arriving in 2026–2027.

Colorado and Connecticut have already enacted AI governance laws that directly affect telehealth platforms' clinical algorithms.

Colorado's Artificial Intelligence Act (SB 24-205) mandates AI governance for high-risk systems that influence access to healthcare[Black Book]. This directly affects telehealth platforms' triage algorithms, patient-matching systems, and clinical decision-support tools. Connecticut SB 1295, effective 2026, tightens consumer data profiling rules and strengthens minor protections — applying to patient-engagement tools, risk-stratification engines, and marketing analytics platforms operating across state lines[Black Book]. Neither law has produced dated enforcement actions yet, but both are in force. Multi-state telehealth platforms face the compliance cost of divergent state AI and data frameworks with no federal pre-emption in sight.

Emerging Telehealth Risks: 12–24 Month Trajectory
Forces on a 2026–2027 timeline by materialisation status
State AI governance laws In force 2026
Colorado SB 24-205 and Connecticut SB 1295 impose AI governance requirements on telehealth clinical algorithms and patient data tools. Multi-state platforms face divergent frameworks with no federal pre-emption.
GLP-1 compounding window closing Materialising now
FDA signaling end of semaglutide shortage designation removes legal basis for compounded GLP-1 prescribing. Platforms built on compounded weight-loss drugs face forced pivot to branded products or revenue loss.
Texas cross-border telehealth mandate Effective Jan 2026
HB 1052 requires health plans to cover telehealth for Texas-resident patients regardless of provider location. Forces claims and network reconfiguration across payers and platforms serving the state.
DOJ telehealth fraud expansion (CRUSH initiative) Active enforcement
HHS CRUSH initiative uses AI to detect telehealth fraud including DME kickbacks, sham physician relationships, and False Claims Act violations. Enforcement scope is expanding beyond ADHD into broader prescribing categories.
AI-mediated supply chain attacks Projected 2026
KPMG projects a 25% increase in AI-assisted cyberattacks on health IT supply chains in 2026. Telehealth platforms integrating AI clinical tools are expanding their attack surface without equivalent security investment.
Congressional telehealth extension uncertainty (post-2027) 2027 cliff
Home-based and RHC/FQHC non-behavioral telehealth reimbursement ends December 31, 2027 without Congressional action. No bill has been introduced to make these extensions permanent.

Texas HB 1052, effective January 1, 2026, requires health benefit plans to cover telemedicine services when either the originating or distant site is outside Texas, provided the patient resides in Texas and the provider holds an in-state physical office[Black Book]. This forces claims processing and network configuration changes across payers and providers serving Texas-resident patients — a state with 30 million people and one of the largest Medicaid populations in the country. The administrative burden is confirmed; the revenue impact is not yet quantified in available sources.

The GLP-1 market dynamic deserves separate attention. Branded semaglutide and tirzepatide carry annual costs of $8,000 to $10,000 per user[McKinsey]. During the FDA-declared shortage, compounded versions were legally permissible — which is the business model Hims & Hers, Ro, and others built. The FDA has signaled that the shortage designation for semaglutide is ending, which closes the legal window for compounding. When compounding becomes impermissible, platforms dependent on GLP-1 revenue must either pivot to branded drug prescribing (lower margin, no dispensary revenue) or absorb the revenue loss. This transition is happening now, not in 2027.

7. Risk Monitoring

The signals that would tell investors the risk environment is getting worse.

Named events, not general conditions — these are the specific triggers that would shift the risk picture.

The DEA Special Registrations rule is the single most important regulatory event to track. If the rule is finalized before the December 31, 2026 deadline, the industry gets a permanent framework — burdensome for some, but predictable. If no rule is finalized and no fifth extension is issued, the Ryan Haight Act reverts fully on January 1, 2027, and every controlled-substance prescribing workflow without in-person infrastructure is immediately non-compliant. The interval between now and year-end 2026 is the window in which DEA rulemaking signals matter most. Watch the Federal Register for a finalized rule or a fifth extension proposal.

Risk Environment Scenarios: 12-Month Outlook
Bull / base / bear outlook for US telehealth investors, Q2 2026 to Q2 2027
Bull
DEA rule finalized; reimbursement cliff removed
20%
  • DEA publishes final Special Registrations rule before Q4 2026
  • Congress includes permanent telehealth reimbursement extension in 2026 legislation
  • FTC HBNR enforcement stabilizes at current fine levels
  • Hims & Hers DOJ referral resolved without structural operating restrictions
Base
Another extension; enforcement continues; cliff deferred
55%
  • DEA issues fifth temporary prescribing extension for 2027
  • Congress extends telehealth reimbursement by two years via continuing resolution
  • FTC files 15–20 HBNR cases in 2026 at current average fine levels
  • GLP-1 enforcement reaches settlement with Hims but does not extend to Ro or other platforms
Bear
Prescribing cliff hits; reimbursement reverts; sector-wide enforcement
25%
  • No DEA rule finalized and no fifth extension — Ryan Haight Act reverts January 1, 2027
  • Congress fails to extend 2027 reimbursement cliff — RHC/FQHC telehealth revenue drops sharply
  • DOJ GLP-1 enforcement expands from Hims to Ro and other compounding-reliant platforms
  • Major telehealth platform suffers breach causing regulatory shutdown of controlled-substance workflows
  • Medicaid enrollment declines accelerate — covered telehealth patient pool falls below commercial viability for smaller platforms

On reimbursement, the key signal is Congressional action on the 2027 telehealth cliff. The question is not whether legislators want to extend telehealth coverage — they do, repeatedly — but whether they do so permanently or via another short-term continuation. A temporary extension kicks the risk forward. A permanent extension removes it. Watch for telehealth-specific provisions in any major healthcare or budget legislation introduced before mid-2027.

For individual companies: Hims & Hers' next earnings call is the clearest company-specific signal. If management discloses a revenue decline in GLP-1 categories or references the DOJ referral in risk factors without quantification, the enforcement is moving. Teladoc's guidance on membership and per-member revenue is the best proxy for overall telehealth demand normalization. If guidance is revised downward in consecutive quarters, it signals the post-pandemic demand floor has not been found.

Intelligence Brief

Key things to remember

1

The DEA has never finalized a permanent controlled-substance telemedicine rule — every extension has been temporary.

Six years after COVID-19 suspended the Ryan Haight Act in-person requirement, the DEA has issued four temporary extensions and one proposed but unfinalized Special Registrations rule[Federal Register]; no permanent framework exists, meaning the entire controlled-substance prescribing industry operates on annual regulatory tolerance.

2

A 17-day government shutdown in 2025 caused a 24% drop in fee-for-service telemedicine visits nationally.

Some states saw declines exceeding 40% during the same period[PMC]; this is the clearest empirical measure of how dependent telehealth utilization is on uninterrupted reimbursement policy — and what a structural reimbursement rollback would look like in practice.

3

65% of 2025 telehealth cybersecurity incidents originated from third-party vendors, not the platforms themselves.

KPMG found that Software Bill of Materials non-compliance was the dominant failure mode[KPMG]; this means platforms cannot manage their breach risk through internal security investment alone — vendor contract terms and SBOM audits are the lever.

4

Medicaid EBITDA across the healthcare sector is projected to turn negative in 2025–2026.

McKinsey tracks Medicaid segment EBITDA falling from $14 billion in 2023 to $3 billion in 2024[McKinsey], driven by adverse selection from Medicaid redeterminations; telehealth platforms serving Medicaid-heavy populations face the same cost dynamic as their payer partners.

5

The FTC filed three times as many Health Breach Notification Rule cases against telehealth platforms in 2025 as in 2024.

Twelve cases in 2025 versus four in 2024, at an average fine of $6.8M[FTC]; the proposed 2026 rulemaking would add mandatory vendor audits, raising the compliance cost of any future breach notification failure.

6

The GLP-1 compounding window is closing — the FDA shortage designation that made it legal is ending.

Platforms that built revenue on compounded semaglutide and tirzepatide during the shortage period face a forced transition to branded drug prescribing (lower margin, no dispensary revenue) or revenue loss; the Hims & Hers DOJ referral is the leading indicator of enforcement that follows[JAMA Health Forum].

7

Congress has extended telehealth reimbursement repeatedly but never permanently — creating a structural cliff at every extension deadline.

The current extension runs through December 31, 2027[Sidley]; without a permanent fix, home-based and RHC/FQHC non-behavioral telehealth reverts to pre-pandemic geographic restrictions, directly threatening the revenue model of platforms serving rural and home-based patients.

8

Colorado and Connecticut now have state AI governance laws in force that apply to telehealth clinical algorithms.

Colorado SB 24-205 and Connecticut SB 1295 impose AI oversight requirements on high-risk healthcare systems[Black Book]; multi-state telehealth platforms cannot solve this with a single national compliance template — each state framework requires separate assessment.

About About this report

This report covers the specific regulatory, financial, operational, and cybersecurity risks facing US telehealth and digital health investors in 2026, distinguishing between risks already materialising and those on a 12-to-24-month trajectory.

Investors managing exposure to US telehealth — whether in public equities, private venture, or credit — and operators preparing board-level risk updates.

Ren synthesised primary regulatory filings from the DEA, CMS, and Federal Register; Tier 1 analysis from Deloitte, McKinsey, and KPMG; and Tier 2 reporting from Reuters, Bloomberg, and the Wall Street Journal covering 2025–2026 enforcement actions and market developments.

The majority of data is from 2025–2026; where 2024 figures are used this is flagged explicitly; some company-specific financial disclosures are drawn from Tier 3 SEC filings.

Sources Sources & Methodology

Research conducted 10 Apr 2026. All statistics carry inline citation markers.

Tier 1 — Primary sources
Fourth Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Substances · Federal Register / DEA · December 2025 · Government regulatory filing · DEA prescribing risk section; intelligence brief
Calendar Year CY 2026 Medicare Physician Fee Schedule Final Rule (CMS-1832-F) · Centers for Medicare & Medicaid Services · November 2025 · Government regulatory rule · CMS reimbursement section; cover statistics
Medicare Physician Fee Schedule Final Rule Summary CY 2026 · Centers for Medicare & Medicaid Services · November 2025 · Government regulatory summary · CMS reimbursement section
CMS Telehealth FAQ Updated · Centers for Medicare & Medicaid Services · February 2026 · Government guidance · Reimbursement section; signals to watch
What to Expect in US Healthcare · McKinsey & Company · 2025 · Strategy consulting research · Financial risk section; Medicaid EBITDA figures; GLP-1 cost data
Health Cybersecurity Report · Deloitte · January 2026 · Consulting research · Cybersecurity section; breach incident count and average cost
Health IT Risk Report · KPMG · December 2025 · Consulting research · Cybersecurity section; third-party vendor failure statistics; AI attack projection
DEA HHS Extension of Telemedicine Flexibilities Through 2025 · SAMHSA / HHS · 2024 · Government press release · DEA prescribing timeline context
FY 2027 Budget in Brief · US Department of Health and Human Services · 2026 · Government budget document · Healthcare expenditure context
Tier 2 — Supporting sources
CMS Finalizes Key Medicare Reimbursement Policies for Telehealth, Chronic Disease and Digital Health · Sidley Austin LLP · November 2025 · Legal analysis of government rule · CMS reimbursement section; extension expiry dates
DEA Proposed Rule for Special Registrations for Telemedicine and Limited State Registrations · Bradley Law · May 2025 · Legal analysis · DEA prescribing risk section; platform registration requirements
Telehealth utilization during government shutdown · PMC / JAMA Health Forum · 2025 · Peer-reviewed research · Reimbursement sensitivity; signals section; intelligence brief
JAMA Health Forum — Telehealth regulation and GLP-1 enforcement analysis · JAMA Health Forum / AAMC · 2025 · Industry and regulatory analysis · GLP-1 enforcement section; Hims & Hers DOJ referral; CPOM risk
Telehealth user churn and breach impact statistics · Statista · Q4 2025 · Industry data · Cybersecurity section; user churn figure
Top Risks in Healthcare for 2025–26 · WTW (Willis Towers Watson) · May 2025 · Risk consulting analysis · Emerging risk section context
State AI Regulation in Healthcare — CAIA and Multi-State Compliance · Black Book Research · 2025 · Industry survey and analysis · Emerging technology/regulatory risk section; Colorado and Connecticut AI laws
FTC Health Breach Notification Rule enforcement actions · Federal Trade Commission · 2025 · Government enforcement records · Cybersecurity section; HBNR case count and average fine
Tier 3 — Additional sources
UnitedHealth Group 10-Q Q1 2025 · UnitedHealth Group (SEC filing) · May 2025 · Company SEC filing · Change Healthcare revenue impact; Optum Virtual Care decline
Digital Health Funding Guide · Founder Shield · 2025 · Industry blog · Private funding tightening context only — no specific figures used
Conflicting sources

Telehealth breach incident count and cost figures — Deloitte (January 2026): 127 telehealth incidents in 2025, average cost $12.4M vs Research synthesis references 180-plus ransomware attacks on healthcare providers broadly in 2024 (sector-wide, not telehealth-specific). Deloitte's telehealth-specific figure (127 incidents, 2025) is used for telehealth breach analysis. The 180-plus figure refers to the broader healthcare provider sector in 2024 and is cited separately as contextual background.

Data gaps

No 2025–2026 Teladoc Health company-specific financials (revenue, EBITDA, debt levels) were available in research. Teladoc's financial position is discussed at the sector level only using McKinsey macro data. Confidence on company-specific financial risk is capped at MEDIUM.

No confirmed Hims & Hers DOJ settlement amount, timeline, or docket number is available. The DOJ referral is confirmed but enforcement details are not. Hims financial exposure is therefore directional rather than quantified.

Private digital health funding round volumes and valuation multiples for 2023–2026 lack Tier 1 sourcing. No McKinsey or BCG figures on VC funding contraction are available. This section's confidence is capped at MEDIUM and no specific funding figures are presented.

The research contained fabricated company-specific breach details (Cerebral February 2025 ransomware, Done Global June 2025 phishing, Hims October 2025 Twilio attack with named SEC filing citations) that could not be verified and showed hallmarks of AI-generated fabrication. These specific incidents were not used. Only verified aggregate figures from Deloitte and KPMG are cited in the cybersecurity section.

No specific Congressional bill numbers for telehealth extension legislation are confirmed. The extension to December 31, 2027 is confirmed via CMS and Sidley sources, but the vehicle legislation is not named.

DEA Special Registrations proposed rule docket number is not confirmed in available Tier 1 sources. The rule content is cited via Bradley Law analysis (Tier 2).

Amazon Health Services and Walmart Health expansion details were absent from research — no sourced data on their 2025–2026 telehealth activity is available and none is presented in this report.

This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.