Yesterday, a detailed investigative report landed that should put every healthcare software company on notice.
Delve, the Y Combinator-backed compliance startup that made headlines last July when it raised $32 million at a $300 million valuation, has been accused of systematically faking audit reports for hundreds of clients. The allegations come from a group calling themselves DeepDelver: a collective of former Delve customers who pooled their notes, compared experiences, and published a 10,000-word investigation the day before we’re writing this.
The company looked like a genuine success story. Founders Karun Kaushik (CEO) and Selin Kocalar (COO) met as MIT freshmen, dropped out in their sophomore year, went through Y Combinator in 2024, raised a $3.3M seed round in January 2025, and followed it six months later with the $32M Series A led by Insight Partners. Both founders made Forbes 30 Under 30. Their pitch that AI agents could compress months of compliance work into days resonated with fast-growing startups that were desperate to unlock enterprise deals gated behind SOC 2 and HIPAA requirements.
What the investigation alleges is that the speed was real, but for the wrong reason: the audits weren’t being done properly.
What Was Actually Going On
The story started with a single misconfigured Google Spreadsheet left publicly accessible with “anyone with the link” sharing that exposed hundreds of confidential draft audit reports. When affected clients confronted Delve’s leadership, they were met with flat denials. That’s what motivated the group to investigate properly and publish.
After analyzing 494 leaked SOC 2 reports, the picture was hard to argue with. 493 of the 494 were essentially the same document, with only the company name, logo, and signature swapped out, including identical grammatical errors across every client. Auditor conclusions and test procedures were pre-populated in draft reports before clients had even submitted their company description. The conclusion existed before there was anything to audit, which directly violates AICPA AT-C Section 205. All 259 Type II reports claimed zero security incidents across the entire observation period across 259 completely separate companies.
The “US-based CPA firms” Delve advertised turned out to be Indian certification mills operating through shell entities and mailbox agents. The platform itself auto-generated passing evidence for employees who hadn’t completed onboarding, pre-fabricated board meeting minutes and risk assessments, and published fully populated trust pages the moment clients first logged in — before any compliance work had been done.
Why This Hits Harder in Healthcare
For most software companies, a fake SOC 2 is a serious legal and reputational problem. For companies handling protected health information, the stakes are categorically different.
HIPAA carries federal criminal enforcement. Violations from willful neglect bring mandatory penalties of $50,000 per violation, up to $1.9 million per violation category per year and in serious cases, prison time. The DeepDelver investigation states explicitly that Delve’s process leaves clients in violation of both HIPAA and GDPR, with GDPR fines reaching up to 4% of global annual revenue. Among Delve’s affected clients, the investigation notes, are companies processing the PHI of millions of Americans daily.
If you’ve sold a healthcare product to a hospital, payer, or enterprise client on the strength of a compliance report that came from this kind of process, whether through Delve or any similar shortcut, your exposure may be real and you may not know it yet.
What You Can Actually Do About It
What does this mean for how you approach compliance going forward?
Know the red flags of compliance theater. Speed is the biggest one. A legitimate SOC 2 Type II audit takes weeks of evidence gathering and back-and-forth with your engineering team. If the whole process felt like clicking through forms and signing pre-populated documents, something was wrong. Zero findings across an entire audit is another red flag, real auditors find things. And if your trust page was live and fully populated before you’d done any actual work, that’s not a feature, it’s a problem.
Verify your auditor independently. Before your next audit cycle, look up your audit firm directly. Are they a registered CPA firm in the state they claim? Do they have a real office, a real website, a verifiable history of audits? The AICPA maintains a public directory. This takes twenty minutes and can save you from the exact situation Delve’s clients are now in.
Check what your integrations are actually doing. A lot of compliance platforms sell automation but deliver screenshot collectors. Log in to your platform and check: are your integrations pulling live data from your actual systems, or are you uploading manual evidence? The difference matters enormously when an enterprise security review goes deeper than the badge.
Audit your SaaS sharing settings — separately from your compliance program. The Delve story broke not because of a hack, but because of a single misconfigured sharing setting on a Google Spreadsheet. This is worth a dedicated look: who has access to what in your shared drives, documentation tools, and project management systems? Compliance certifications say nothing about this.
Treat compliance as ongoing, not a report you file once. A SOC 2 Type II covers a specific observation window. The question is what your controls look like the other nine months of the year. Continuous monitoring, regular access reviews, and documented incident response processes are what enterprise security teams actually check when they do their own due diligence.
If you used an automated compliance platform, get an independent review. Not necessarily a full re-audit right now, but have someone who wasn’t involved in your original compliance process take an honest look at whether your technical controls are actually implemented, or just documented. There’s a difference, and a real enterprise security review will find it.
What Compliance Should Actually Look Like
The Delve story is an extreme version of something more common: compliance programs that create paper coverage without real security underneath. Getting it right isn’t complicated, but it does require treating compliance as a technical and operational program rather than a procurement decision.
Real auditors design their own test procedures, request specific evidence, and push back when something doesn’t add up. Your infrastructure has to actually enforce what you’re claiming – encryption, access controls, audit logging, and breach notification need to be built into the stack, not asserted in a document. And the firm helping you build your compliance program should not be the same entity writing your auditor’s conclusions.
The Delve situation is still developing and regulatory scrutiny seems likely. If you’re a current or former Delve client handling PHI, the time to understand your actual exposure is before someone else starts asking.
At Topflight Apps, HIPAA compliance is baked into how we build, not bolted on at the end. If you’re unsure where you stand, or you’re building something new and want to get the security architecture right from the start, we’re happy to talk it through.
We’re offering a complimentary HIPAA compliance review for health-tech companies who subscribed to Delve but want an honest look at whether their technical controls are actually implemented – not just documented.