How A Telehealth Startup Found Success With Just $20,000 and AI

When OpenAI CEO Sam Altman predicted in early 2024 that a one-person, billion-dollar company would emerge, most observers assumed it would be a pure AI play. Instead, the closest candidate so far is a telehealth middleman selling compounded weight-loss drugs. Matthew Gallagher, 41, built Medvi with $20,000, more than a dozen AI tools, and a willingness to treat every business function as a prompt, according to The New York Times.

Medvi opened for business in September 2024, entered a market already crowded with Hims & Hers and Ro, and outpaced both on margin within its first full year of operation.

Medvi generated $401 million in revenue in 2025, its first full calendar year, on 250,000 customers. Net profit came in at 16.2%, or $65 million, according to financials reviewed by the Times. The company is now on track for $1.8 billion in annual sales in 2026. For comparison, Hims & Hers reported $2.4 billion in revenue last year with 2,442 employees and a 5.5% net margin. Gallagher is running nearly three times the margin with a headcount of two.

Gallagher's architecture is deliberately thin. Two infrastructure platforms, CareValidate and OpenLoop Health, provide the licensed physicians, prescription processing, pharmacy fulfillment, shipping logistics, and regulatory compliance. Medvi owns the customer relationship: branding, website, paid media, checkout flow, and customer service.

Gallagher built all of it with AI. He used ChatGPT, Claude, and Grok to write the code powering the platform, and Midjourney and Runway to generate ad creative. ElevenLabs supplied voice tools for customer communication. Custom AI agents connect his disparate systems. A chatbot handles inbound service inquiries.

The customer service chatbot initially fabricated drug prices, and Gallagher honored those quotes. It also hallucinated product lines that did not exist, claiming Medvi sold hair-loss drugs before any such offering launched. Both issues required manual correction and iteration.

Jiten Chhabra of CareValidate told the Times the pace was disorienting: "You're like, 'Do you have an army of people behind you somewhere?' And he's like, 'Nope.'" Dr. Jon Lensing, CEO of OpenLoop, noted that Gallagher had begun sharing AI workflow tips back to his own infrastructure vendor.

Medvi has raised no outside capital. Gallagher consulted Kobie Fuller, a General Partner at Upfront Ventures, who advised him not to raise if he did not need the money. Fuller told the Times he sees Gallagher as an early data point, not a one-off: "Those folks that have those skills, it's kind of like their superpower. This is an extreme example, but I don't think it's going to be the last by any stretch."

For investors watching from the outside, Medvi raises a harder question: what does it say about the TAM for venture-backed GLP-1 telehealth plays when a solo operator can extract 16.2% net margins from the same market? Hims & Hers spent years and hundreds of millions building the physician network, pharmacy relationships, and brand infrastructure that Gallagher rents by the transaction. The infrastructure owners, CareValidate and OpenLoop, are now demonstrably capable of powering a $1.8 billion revenue business. That positions them as acquisition targets or platform competitors, depending on who raises next.

The broader VC thesis around telehealth has been complicated by the regulatory environment. The FDA declared the semaglutide shortage resolved in February 2025, which sharply narrowed the legal basis for compounded GLP-1 prescriptions. By early 2026, the agency had issued 30 warning letters to telehealth sites marketing compounded GLP-1s, and the DOJ has been referred enforcement cases. Gallagher's 2026 revenue projection assumes this window stays open. It may not.

The HIPAA Breach Nobody Disclosed

In March 2026, Caleb Bacher, a fintech founder in Oklahoma, signed up for Medvi after seeing a Facebook ad. After submitting his intake form, he received a text message containing a link to his approval page. The URL ended in a sequential integer. He changed the number by one and found himself looking at another patient’s full record: name, email, phone number, weight, goal weight, and medication order. All that with no login required, no authentication layer, and no session token standing between the data and anyone who thought to increment a digit.

He has just published the incident writeup on Medium and described the vulnerability as a textbook Insecure Direct Object Reference, or IDOR; one of the most documented vulnerability classes in security, in which sequential, predictable URLs are the only access control on protected records. Every Medvi intake submission had one. The company had 250,000 customers. All of it; name, contact information, weight, medication type, dosage, constitutes Protected Health Information under HIPAA.

Bacher spent approximately an hour attempting to reach someone with authority at Medvi, at one point accumulating five offshore customer service agents on a simultaneous conference call while also on hold with HHS to file a complaint. He eventually reached an executive assistant, walked her through the vulnerability, and suggested replacing sequential integers with non-enumerable UUIDs. The fix was implemented within roughly 90 minutes.

Medvi's response to the disclosure: a ,000 ACH transfer. No NDA. No release of claims. No settlement agreement. No W-9. Bacher, who says he previously sold HIPAA compliance consulting, noted the legal significance of this explicitly: a company with 01 million in revenue that had just experienced a breach of 250,000 patient records paid out its disclosure obligation with a verbal thank-you and a wire transfer.

Under HIPAA’s Breach Notification Rule, covered entities that experience a breach of unsecured PHI affecting 500 or more individuals are required to notify affected patients, report to HHS’s Office for Civil Rights, and notify prominent media outlets in affected states, all within 60 days of discovering the breach. Penalties for willful neglect that is not corrected can reach 0,000 per violation up to .9 million annually. As of Bacher's publication date, he had received no breach notification as an affected party and found no evidence that Medvi had filed with HHS OCR or notified its 250,000 customers as required.

Medvi was contacted for comment; this article will be updated with the company's response.

The Compliance Record the Times Didn't Cover

What the Times profile omitted: Medvi was already on the FDA’s radar before the story ran. On February 20, 2026, the agency issued a formal warning letter to Medvi LLC after reviewing its website in December 2025. The FDA cited two violations under the Federal Food, Drug, and Cosmetic Act: Medvi's website displayed product labels bearing the Medvi name, implying the company was the compounder of its drugs when it is not; and the site carried claims including "Same active ingredient as Wegovy and Ozempic" and “Same active ingredient as Mounjaro and Zepbound”, language the FDA ruled misleading because it implied FDA approval that compounded products do not have. The letter warned that failure to address the violations could result in seizure or injunction without further notice.

Medvi is not alone. A STAT News analysis found that among more than 70 telehealth companies warned by the FDA in the six months prior, at least 30% had stated affiliations with just four nationwide medical groups, including OpenLoop, the same infrastructure partner powering Medvi.

A separate compliance question surfaced on April 2, 2026, when venture investor Sheel Mohnot posted on X that Facebook’s ad library showed hundreds of ads for Medvi running under accounts impersonating doctors — including one named “Dr. Tuckr Carlzyn MD”, which he described as a potential FTC violation. Another user, Ian Borders, pushed back, arguing the accounts were not Medvi’s own but belonged to affiliates running on its commission program without adequate vetting. Mohnot acknowledged the distinction but noted that Hims, which runs a comparable affiliate program, appears to screen more rigorously. The Facebook ad library remains publicly searchable.

Gallagher has acknowledged the structural vulnerability. Medvi holds no proprietary technology, no licensed physician network, no pharmacy infrastructure, and no exclusive supplier relationships. Any operator with marketing fluency and a CareValidate or OpenLoop account can replicate the model.

The defensible layer, to the extent one exists, is execution velocity and brand. Gallagher told the Times Medvi now generates more than $3 million per day. He has reinvested profits into expansion rather than defensibility: men's health launched in February 2026 and signed 50,000 customers in its first month; meal delivery launched in March; women's health, hair growth, and skincare are queued.

The unit economics remain favorable as long as customer acquisition costs stay disciplined. Platform fees to CareValidate and OpenLoop likely represent the largest cost line; marketing and software account for most of the remainder. Against 250,000 customers, that points to a high but not unusual customer acquisition cost for a subscription health business with near-zero overhead.

That calculus changes quickly if the FDA's February warning letter triggers enforcement, platform fees rise, Novo Nordisk's new Wegovy subscription program narrows the price gap with compounded alternatives, or a better-capitalized competitor decides margins of 16% are worth competing for.

In early 2024, Sam Altman told Reddit co-founder Alexis Ohanian that he and his tech-CEO group chat had a "betting pool" on when the first one-person billion-dollar company would appear. "Which would have been unimaginable without AI," Altman said, "and now will happen." Reached by the Times, Altman wrote that it appeared he had won that bet and that he "would like to meet the guy."

The guy grew up in a trailer park, taught himself to code on a laptop his uncle gave him, and ran a watch subscription company that never turned a profit. He built a $1.8 billion revenue business from his house in fourteen months.

Whether Medvi survives its regulatory and competitive exposure at anything close to current scale is an open question. As a proof of concept for what AI-enabled operational leverage looks like in the hands of a single technically fluent founder, it is already closed.