Key Takeaways:

• Enforcement authorities are increasingly scrutinizing potential diversion of controlled substances evaluating and whether hospitals and healthcare organizations maintained effective controls, reporting systems, auditing practices, and compliance oversight.
• Recent criminal and civil enforcement actions, often involving parallel scrutiny from multiple federal and state law enforcement and regulatory agencies, highlight law enforcement's and regulators’ expectations that companies proactively detect, investigate, and remediate diversion-related risks.
• Hospitals and healthcare organizations that identify potential diversion of controlled substances should respond quickly by preserving evidence, engaging outside counsel, complying with strict reporting obligations, and proactively strengthening diversion prevention and detection programs.

---

Over the last decade, diversion of controlled substances from hospitals and healthcare facilities has drawn increasing scrutiny from law enforcement and regulators due to the significant risks to patient safety. In recent years, hospitals and healthcare organizations have paid multimillion-dollar settlements to resolve allegations that they failed adequately to prevent, detect, investigate, or report diversion-related misconduct. As enforcement activity continues to expand, healthcare companies and executives face substantial criminal, civil, administrative, and reputational risks associated with diversion incidents, including parallel investigations conducted by multiple agencies with overlapping jurisdiction.

This article examines the legal frameworks underlying investigations by the U.S. Department of Justice (“DOJ”), the Food and Drug Administration (“FDA”), and the Drug Enforcement Administration (“DEA”) into the distribution of controlled substances, focusing primarily on diversion and related misconduct. It also highlights key considerations and provides a practical guide for healthcare organizations responding to government inquiries, managing parallel investigations, confronting the significant criminal, civil, and administrative risks described herein, and strengthening diversion prevention and compliance programs.

Finally, although focused on diversion, many of the themes and principles described in this article also apply to controlled substance investigations unrelated to diversion.

Relevant Law Enforcement and Regulatory Agencies

Investigating and prosecuting the diversion of controlled substances falls within the overlapping jurisdiction of numerous federal, state, and local law enforcement and regulatory agencies charged with protecting public health and patient safety. Because diversion incidents frequently implicate controlled substance laws, healthcare regulations, licensing requirements, reimbursement obligations, and patient safety concerns simultaneously, organizations often face parallel investigations by multiple agencies once diversion is uncovered or suspected. These investigations may proceed concurrently and involve both criminal and civil exposure.

Relevant agencies include:

• DOJ (U.S. Attorneys’ Offices): Prosecutes criminal and civil violations of federal law, including violations of the Federal Food, Drug, and Cosmetic Act (“FDCA”), Controlled Substances Act (“CSA”), False Claims Act (“FCA”), Anti-Kickback Statute (“AKS”), healthcare fraud statutes, wire fraud statutes, and related offenses arising from diversion conduct. DOJ often coordinates multi-agency investigations.

• FDA: Enforces the FDCA and regulates the manufacture, labeling, and distribution of prescription drugs and other regulated products. FDA works closely with DOJ to investigate and prosecute civil and criminal violations of the FDCA, particularly where diversion implicates adulteration, misbranding, counterfeit drugs, product tampering, unlawful distribution practices, or failures in supply chain controls. In diversion matters, FDA jurisdiction may overlap with that of the DEA, especially where conduct affects both drug integrity and controlled substance accountability.
  
  The FDA Office of Criminal Investigations (“OCI”) serves as FDA’s criminal investigative arm and is responsible for conducting investigations and making criminal referrals to DOJ. OCI investigates conduct including prescription drug diversion schemes, falsified records, “pill mill” operations, tampering offenses, online pharmacy violations, and the distribution of counterfeit or diverted pharmaceuticals. FDA OCI agents frequently coordinate with DOJ, DEA, the Department of Health and Human Services Office of Inspector General (“HHS-OIG”), the Federal Bureau of Investigation (“FBI”), state licensing authorities, and local law enforcement through multi-agency task forces and joint investigations. FDA OCI employs more than 200 special agents throughout the United States and during fiscal year 2024 reported more than 166 arrests and 142 convictions.

• DEA: Enforces the CSA, including its registration, security, recordkeeping, prescribing, dispensing, and anti-trafficking provisions. DEA works closely with DOJ to investigate and prosecute civil and criminal violations involving diversion of controlled substances, including unlawful prescribing practices, inadequate diversion controls, suspicious order monitoring failures, deficient recordkeeping, theft or loss reporting violations, and illegal distribution networks. DEA also exercises broad administrative authority over DEA registrants, including healthcare providers, pharmacies, distributors, manufacturers, and treatment facilities, and may impose administrative sanctions independent of criminal proceedings, including suspension or revocation of DEA registrations.

• State and Local Prosecutors’ Offices: Investigate and prosecute violations of state criminal and civil laws, including state-controlled substances statutes, healthcare fraud laws, licensing violations, and state-law analogues to the FDCA and CSA. State attorneys general and local prosecutors may pursue actions independently or alongside federal authorities.

• Local Police Departments and State Law Enforcement Agencies: Investigate violations of local and state criminal laws, including theft, fraud, drug diversion, unlawful possession, and related offenses. Local law enforcement frequently participates in coordinated diversion investigations with federal agencies.

• State Regulatory Agencies and Professional Licensing Boards: Enforce compliance with state healthcare licensing and regulatory requirements applicable to healthcare professionals, pharmacies, hospitals, and healthcare facilities. These entities may initiate disciplinary proceedings, impose fines, suspend or revoke licenses, require corrective action plans, or refer matters for criminal prosecution.

In the context of fentanyl diversion, for example, FDA may assert jurisdiction over tampering offenses under the FDCA where a healthcare worker extracts fentanyl from vials or syringes and replaces it with saline or another substance, thereby rendering the drug “adulterated” or “misbranded” under federal law. At the same time, DEA may pursue violations of the CSA arising from failures to maintain accurate controlled substance records, inadequate diversion controls, unlawful distribution, or trafficking-related conduct. The same underlying conduct therefore may trigger overlapping regulatory, civil, and criminal exposure across multiple agencies.

Parallel Investigations and Collateral Exposure

Because diversion of controlled substances may violate both federal and state laws simultaneously, organizations commonly face multiple, overlapping investigations by different agencies and prosecutors’ offices. These investigations may expand beyond the initial diversion conduct and expose organizations to broader scrutiny concerning compliance, billing practices, internal controls, and patient care.

When a governmental entity becomes involved in a healthcare-related investigation, there is a substantial risk that the inquiry will broaden into additional areas of potential liability. Conduct identified during a diversion investigation may lead to scrutiny under the FCA, healthcare fraud statutes, reimbursement rules, or state licensing requirements. For example, in December 2025, an addiction treatment center agreed to pay $1 million to resolve allegations that it failed to comply with CSA provisions designed to prevent diversion of controlled substances for unlawful use, as well as an additional $1 million to resolve allegations that it violated the FCA by billing government healthcare programs for treatment services it failed to adequately provide. The CSA-related allegations arose from audits and investigations conducted by DEA.

Criminal Liability

Organizations and individuals may face significant criminal exposure arising from the diversion of controlled substances under both the FDCA and the CSA. In many diversion matters, prosecutors pursue overlapping theories of liability under multiple federal statutes simultaneously.

Over the past several decades, DOJ has increasingly emphasized individual accountability in corporate enforcement matters, including prosecutions of executives and supervisory personnel alleged to have failed adequately to prevent or remediate unlawful conduct. DOJ and federal regulators have repeatedly stressed that organizations cannot shield responsible individuals from criminal liability merely because misconduct occurred within a corporate structure.

Criminal Liability Under the FDCA

The FDCA prohibits, among other things, the introduction or delivery for introduction into interstate commerce of adulterated or misbranded drugs. In diversion-related matters, FDCA liability may arise where controlled substances are tampered with, diluted, contaminated, mislabeled, diverted outside lawful distribution channels, or otherwise rendered adulterated or misbranded.

Criminal violations of the FDCA generally are prosecuted as misdemeanors punishable by fines, imprisonment, or both. Misdemeanor violations under the FDCA do not require criminal intent, and the FDCA is therefore considered to be a “strict liability” statute (see Responsible Corporate Officer (“Park”) Doctrine, below). However, violations committed with the “intent to defraud or mislead” may be prosecuted as felonies punishable by fines, imprisonment of up to three years, or both. Fines for misdemeanor or felony FDCA violations run up to $250,000 for individual defendants and up to $500,000 for corporate defendants. In addition to statutory penalties, criminal convictions can trigger collateral consequences, including exclusion from federal healthcare programs, reputational harm, enhanced regulatory scrutiny, and follow-on civil litigation.

Federal prosecutors may also pursue diversion-related conduct under the federal product tampering statute, 18 U.S.C. § 1365, which criminalizes tampering with consumer products under circumstances demonstrating reckless disregard for the risk of death or bodily injury. Convictions under § 1365 may carry penalties of up to ten years’ imprisonment, and penalties may increase where serious bodily injury or death results.

Responsible Corporate Officer (“Park”) Doctrine
Under the “Responsible Corporate Officer” doctrine, commonly referred to as the “Park Doctrine,” corporate executives and other responsible officials may face misdemeanor criminal liability under the FDCA even if they did not personally participate in, direct, or have actual knowledge of the underlying misconduct. The doctrine merely requires that the defendant who holds a position of power within the corporation with the responsibility and authority to prevent or remediate the violation failed to exercise that authority to prevent the violation. This is a strict liability offense, meaning there is no intent or mens rea requirement.

The Park doctrine originated in a 1975 Supreme Court case, United States v. Park, which upheld the criminal misdemeanor conviction of a corporate executive tasked with ensuring compliance with safety regulations after rats were found to have infested one facility. The Supreme Court held that by failing to responsibly exercise the scope of his corporate authority to prevent the rat infestation, the executive could be held criminally liable, despite his lack of any intentional wrongdoing.

When determining whether to recommend a Park violation prosecution to DOJ, FDA considers, among other things, the individual’s position in the company, the severity of the violation, the actual or potential harm to the public from the violation, and whether the violation is part of a pattern of illegal behavior. Park doctrine convictions can result in significant fines or even prison time for corporate executives.

Although used sparingly, the Park Doctrine prosecutions remain an important enforcement tool, particularly in matters involving patient harm, systemic compliance failures, or significant public health concerns.

Criminal Liability Under the CSA

The CSA establishes a comprehensive regulatory framework governing the manufacture, distribution, dispensing, prescribing, storage, and handling of controlled substances. DEA registrants—including manufacturers, distributors, pharmacies, hospitals, practitioners, and treatment facilities—are authorized to handle controlled substances only within the scope of their DEA registration and only for legitimate medical, scientific, or industrial purposes. Both organizations and individuals may face criminal liability under the CSA for violations involving CSA’s registration and/or anti-trafficking provisions.

Registration violations under the CSA include failing to maintain necessary records for the required time frame, failing to conduct mandatory audits of controlled substances, failing to detect and report suspicious orders of controlled substances, and dispensing controlled substances without prescriptions. A violation of the CSA’s recordkeeping and reporting requirements requires only a showing of negligence. A knowing or intentional violation, on the other hand, constitutes a criminal offense and is punishable by a fine or up to one year in prison.

DEA and DOJ have increasingly focused enforcement efforts on whether registrants maintained effective systems to detect and prevent diversion, particularly in the context of opioids and injectable controlled substances. Inadequate internal controls, deficient monitoring systems, repeated documentation failures, or failure to investigate red flags may be cited as evidence supporting criminal enforcement actions.

The CSA’s trafficking provisions make it illegal to “manufacture, distribute, or dispense, or possess with intent to manufacture, distribute, or dispense, a controlled substance,” except as authorized under the Act. It is also illegal for any person “knowingly or intentionally to possess a controlled substance,” unless the substance was obtained in a manner authorized by the CSA. When prosecuting such offenses, DOJ must demonstrate that the violations were committed knowingly or intentionally. Penalties may be significant, including up to 10 years to life in prison and a fine of up to $10 million for an individual or a fine of up to $50 million for an organization. Penalties increase for second or subsequent offenses, or if death or serious bodily injury results from the use of the controlled substance.

In addition to potential criminal penalties, organizations and individuals convicted of, or who plead guilty to, certain offenses involving controlled substances may face debarment from participation in federal healthcare programs. Debarment and exclusion can have severe operational consequences for healthcare organizations and professional consequences for individual practitioners, effectively barring them from conducting business with or receiving reimbursement from the federal government for extended periods.

Civil Liability and Other Enforcement Options

In addition to criminal liability and the significant patient safety, operational, and reputational harms, diversion of controlled substances can expose healthcare organizations to substantial civil, administrative, and regulatory liability. Federal and state regulators increasingly view diversion prevention as a core compliance obligation, and enforcement authorities have repeatedly imposed significant monetary penalties on healthcare entities that failed to adequately detect, prevent, investigate, or report diversion activity.

In addition to pursuing criminal enforcement actions, DEA possesses broad administrative and civil authority under the CSA to regulate DEA registrants, including hospitals, pharmacies, manufacturers, distributors, practitioners, and treatment facilities. DEA may take both formal and informal enforcement actions where it determines that a registrant failed to maintain effective controls against diversion or otherwise failed to comply with CSA requirements. These actions may include warning letters, administrative inspections and audits, civil monetary penalties, corrective action requirements, suspension or revocation of DEA registrations, and orders to show cause.

Importantly, DEA enforcement frequently extends beyond the individual employee responsible for diversion and focuses on whether the institution itself maintained adequate compliance systems and internal controls. DEA and DOJ commonly scrutinize whether organizations maintained accurate controlled substance records, conducted required audits and inventories, implemented effective diversion detection systems, restricted employee access appropriately, investigated discrepancies adequately, and timely reported thefts or significant losses. Even where diversion is perpetrated by a single bad actor, regulators increasingly evaluate potential institutional failures in oversight, monitoring, and compliance infrastructure as independently actionable violations under the CSA.

Healthcare entities also may face parallel enforcement exposure from state regulators and licensing authorities. State attorneys general, boards of pharmacy, departments of health, and professional licensing boards may independently investigate diversion incidents and pursue civil, administrative, or disciplinary actions based on alleged failures in controlled substance handling, supervision, recordkeeping, patient safety, or professional oversight. Such proceedings may result in monetary penalties, corrective action requirements, licensure restrictions, or heightened regulatory monitoring, even where federal authorities decline to pursue formal enforcement action.

Recent Enforcement Actions and Criminal Cases Involving Controlled Substance Diversion

Recent enforcement actions and criminal prosecutions demonstrate the government’s continued focus on both institutional and individual accountability for diversion-related compliance failures. Here are some examples:

• In March 2026, a healthcare system agreed to pay $3.2 million to resolve allegations involving hundreds of violations of CSA recordkeeping and security requirements, including failure to maintain accurate controlled substance records, report theft or loss to the DEA, and maintain effective controls against diversion.

• In April 2026, a former nurse practitioner and medical practice owner pleaded guilty to unlawfully possessing unused oxycodone obtained from patients with the intent to distribute it. The nurse, who is yet to be sentenced, faces a proposed sentence under her plea agreement with DOJ of 52 months’ imprisonment followed by three years of supervised release.

• In January 2026, a former hospital nurse was sentenced to three years’ probation and 100 hours of community service following a guilty plea to unlawfully obtaining fentanyl and benzodiazepines by fraud, deception, and subterfuge in violation of the CSA, 21 U.S.C. §§ 843(a)(3), (d)(1).

• In July 2025, a hospital network agreed to pay $2.75 million to resolve allegations of CSA noncompliance after a pharmacy technician diverted controlled substances using another employee’s credentials. The settlement also resolved allegations that the organization failed to maintain effective diversion controls and accurate controlled substance records.

• In July 2025, a travel nurse was sentenced to five years’ imprisonment followed by three years of supervised release for obtaining controlled substances by fraud and wrongfully disclosing protected health information in connection with the diversion of hydromorphone for personal use.

• In 2023, a medical center agreed to pay $2 million for alleged violations of CSA recordkeeping requirements after a nurse stole fentanyl and a DEA audit identified hundreds of additional fentanyl bags that were unaccounted for.

• In 2022, a health system agreed to pay $4.36 million to resolve alleged civil and criminal CSA violations after one employee diverted more than 11,000 controlled substances over a multi-year period and another employee tampered with fentanyl vials.

• In 2022, a hospital agreed to pay $1.9 million to resolve alleged CSA recordkeeping violations after a pharmacy technician diverted nearly 18,000 dosage units of controlled substances.

Taken together, these matters illustrate a consistent enforcement theme: healthcare institutions and individual practitioners may face substantial civil or criminal liability for failures relating to controlled substance handling, diversion prevention, recordkeeping, prescribing practices, reporting obligations, and internal oversight. Regulators expect organizations handling controlled substances to maintain proactive and robust diversion prevention programs capable of detecting suspicious activity promptly, reconciling discrepancies effectively, escalating red flags appropriately, and ensuring accurate controlled substance accountability throughout the supply chain and point-of-care environment.

These matters further demonstrate that regulators frequently pursue institutions not only for the diversion itself, but also for alleged failures in governance, compliance infrastructure, auditing, supervision, reporting, and internal controls. As a result, organizations should view diversion prevention and response as an enterprise-wide compliance issue.

Key Takeaways When Companies Face Controlled Substance Diversion

Recent enforcement actions underscore that companies handling controlled substances—including pharmaceutical manufacturers, wholesale distributors, healthcare systems, pharmacies, and treatment facilities—face significant regulatory, civil, and criminal exposure when diversion controls fail. As noted, government investigations increasingly focus not only on the individual employee responsible for the diversion, but also on whether the organization maintained adequate systems to detect, prevent, investigate, and remediate misconduct. In addition to criminal prosecution, organizations may face substantial civil penalties, reputational harm, operational disruption, and administrative action by DEA, including warning letters, suspension or revocation of DEA registrations, and monetary penalties.

Organizations that discover or suspect diversion should consider the following five practical steps:

Move Quickly and Protect the Investigation with Privilege

When diversion is suspected, organizations should act immediately to preserve evidence, assess the scope of the issue, and mitigate ongoing risk. Although every matter is fact-specific, a prompt and thorough investigation may include preserving surveillance footage and electronic access logs, securing dispensing and inventory records, interviewing relevant personnel, conducting targeted audits, drug testing employees when appropriate, and restricting access to controlled substances for suspected individuals pending further review. Preserving potentially relevant evidence is critical, both to support the investigation and to avoid allegations of spoliation.

Companies should consider engaging outside counsel at the outset of any significant diversion investigation. In addition to providing regulatory and investigative expertise, outside counsel can help structure the investigation to maximize attorney-client privilege and work-product protections. Reliance solely on internal business, compliance, or human resources personnel may create factual records that are not protected and are more vulnerable to disclosure in subsequent government investigations or litigation.

Early engagement with experienced outside counsel can significantly improve an organization’s ability to navigate overlapping FDA, DEA, DOJ, state regulatory, and licensing issues. Counsel can help coordinate responses to subpoenas, inspection requests, and government inquiries; assess potential criminal, civil, and administrative exposure; and advise on interactions with regulators and law enforcement.

Outside counsel also can help organizations make strategic decisions regarding self-disclosure, cooperation, remediation, and communications with regulators. In appropriate circumstances, proactive cooperation and timely remediation may improve credibility with enforcement authorities and place the organization in a stronger position during negotiations or settlement discussions.

Comply with Reporting Deadlines

DEA registrants are subject to strict reporting obligations when there are thefts and significant losses of controlled substances. Specifically, registrants generally must notify DEA of any “theft or significant loss” within one business day of discovery and subsequently submit DEA Form 106 within 45 days of the discovery of diversion. Failure to comply with reporting obligations may itself constitute an independent basis for enforcement.

Diversion incidents also may trigger additional federal, state, local, licensing, accreditation, or contractual reporting requirements, each with different timelines and substantive requirements. Organizations should have a prepared list of reporting obligations and promptly report any applicable diversion incidents to the relevant regulators and stakeholders.

Use Consultants Strategically

In many matters, healthcare consultants, auditors, or forensic specialists can play an important role in evaluating diversion risks, conducting records reviews, assessing compliance gaps, and recommending remediation measures. Organizations often benefit from retaining such consultants through outside counsel so that their work may be conducted under the protection of attorney-client privilege and work-product doctrines where appropriate.

Consultants can assist with targeted incident reviews, controlled substance reconciliation exercises, diversion program assessments, and benchmarking against industry standards and regulatory expectations. Their findings also may help shape remediation plans and support communications with regulators.

Evaluate and Strengthen Diversion Detection and Prevention Programs

Enforcement authorities increasingly expect organizations to maintain robust, proactive diversion prevention and detection programs designed to identify suspicious activity before patient harm or systemic compliance failures occur. Companies should evaluate whether existing policies, procedures, and controls adequately address:

• controlled substance monitoring and analytics;

• discrepancy reporting and escalation procedures;

• physical security and employee access controls;

• inventory reconciliation and auditing practices;

• suspicious activity detection;

• employee training and reporting mechanisms;

• documentation and recordkeeping practices; and

• periodic testing and assessment of diversion controls.

Organizations also should regularly reassess diversion prevention programs to account for evolving technologies, enforcement priorities, operational risks, and industry best practices. Periodic tabletop exercises and compliance “stress tests” may help identify gaps before regulators do.

Establish and Reinforce a Culture of Compliance

Regulators often evaluate whether senior leadership has fostered a genuine culture of compliance surrounding controlled substances. Even well-designed policies may prove ineffective if management fails to prioritize compliance, respond appropriately to red flags, or empower compliance personnel to act independently and effectively.

Accordingly, organizations should ensure that compliance personnel possess sufficient authority, resources, and organizational stature to oversee diversion prevention efforts effectively. Leadership should consistently reinforce expectations regarding controlled substance accountability and communicate a clear zero-tolerance approach toward diversion and related misconduct.

* * *

FDA’s OCI has made clear that it will continue coordinating with DOJ, DEA, state regulators, and other law enforcement agencies to investigate controlled substance diversion and product tampering involving FDA-regulated products. Recent enforcement actions demonstrate that these investigations focus not only on the individual wrongdoer, but also on whether the organization maintained effective controls to prevent, detect, and respond to diversion.

For pharmaceutical manufacturers, distributors, healthcare systems, pharmacies, and other DEA registrants, diversion incidents can quickly expand into broader investigations concerning recordkeeping, diversion controls, reporting obligations, patient safety, and compliance oversight. Parallel investigations by multiple federal and state agencies are common, and even isolated misconduct may expose organizations to significant criminal, civil, administrative, and reputational risk.

Against this backdrop, companies should proactively reassess their controlled substance compliance programs and ensure that diversion prevention measures are operational, well-resourced, and effectively implemented in practice—not merely reflected on paper. Early engagement with experienced counsel can help organizations navigate investigations, comply with reporting obligations, strengthen compliance programs, and mitigate enforcement risk before regulatory scrutiny escalates.

 

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.