Skip to main content
xcircl
All teardowns
Teardown·Jul 12, 2026·4 min read

How FDA warning-letter matching works

Turning "appears on an FDA warning-letter list" into a responsible data field is mostly about not getting it wrong. The pipeline, and how we handle false positives.

When a provider "appears on an FDA warning-letter list," that's a real, citable signal — but turning it into a data field responsibly is mostly about not getting it wrong. Here's the pipeline, and specifically how we handle false positives.

The context

The GLP-1 space has been an active enforcement area. The FDA has published statements clarifying compounding policy as the national GLP-1 supply stabilized (FDA, April 2026) and warning about unapproved GLP-1 drugs used for weight loss (FDA, June 2026). We screen against FDA warning-letter lists across our dataset — 6,028 providers FDA-screened at the current snapshot.

The matching challenge

The hard part is entity resolution. A warning letter names a legal entity; a provider record has a business name, aliases, parent companies, and same-name-different-entity collisions. Naive string matching produces false positives — flagging a clinic that merely shares a name with a cited entity. That is the failure mode we design against.

The pipeline

Name normalization → address and domain corroboration → confidence threshold. We only attach a flag at high confidence. Below threshold, nothing is attached — we would rather miss a weak match than smear the wrong provider.

False-positive handling (the part that matters)

Every flag routes through a human review queue before it's published. Providers have a correction/appeal channel. The signal is expressed neutrally and click-through: "appears on an FDA warning-letter list (date, source link)" — never "illegal" or a legal characterization. When a false positive is identified, the flag is removed and the change is timestamped, so the record's history is auditable.

What this means for you

If your agent uses this signal to steer users away from a provider, you need the confidence and the source, not a verdict. We give you the original FDA link and the check date; we don't tell your users a provider broke the law. You decide how to act on a cited, dated signal.

curl "https://xcircl.com/api/v1/coverage/"   # fda_screened count, live

Data as of the 2026-07-12 12:48 UTC snapshot, pulled live from /api/v1/coverage/. Every figure above is substituted from that endpoint at request time — nothing is hardcoded.