By Kevin Brenner | Friday, May 22, 2026
Not Good is not an indictment of the companies it covers. It is a study of the mistakes made inside them — by people prone to making them.
On August 22, 2018, a senior partner at McKinsey & Company sat down and emailed himself a personal to-do list. The subject line was two words. “When home.”
One of the items on the list was this: “delete old pur documents from laptop[.]”
The “pur” was Purdue Pharma, the maker of OxyContin. McKinsey’s client for more than fifteen years.
That email became evidence in a federal obstruction case. One year ago today, on May 22, 2025, a judge sentenced the partner who wrote it — Martin Elling — to six months in federal prison.
Companies pay fines. People do time.
McKinsey & Company
McKinsey & Company turns 100 this year. It is the firm other firms benchmark against. Elite MBA programs reliably feed it, CEOs emerge from it, and its alumni occupy corner offices across major public companies. Its public Code of Conduct is detailed and polished: a serious ethics document from a firm that sells judgment, discipline, and professional standards for a living.
That is the point. If a deletion instruction can move through that firm, it can move through yours.
The Advice That Created the Problem
For more than a decade, McKinsey consulted with Purdue on how to sell more OxyContin during the deadliest overdose epidemic in American history. McKinsey’s own internal materials used the word “turbocharge” in connection with identifying new OxyContin growth opportunities.
“Turbocharge” is one of those words that sounds better in a sales deck than in the headline of a state attorney general’s press release announcing a 573 million settlement, or in a DOJ criminal sentencing announcement.
The strategy included intensified marketing to “High Value Prescribers,” prescribers DOJ described as writing opioid prescriptions for uses that were unsafe, ineffective, and medically unnecessary.
That phrase, “High Value Prescribers,” is doing a lot of work.
In a spreadsheet, it can sound like routine customer segmentation. In an enforcement file, it can sound like a very bad answer to the question: “High value to whom?”
To encourage insurers and Pharmacy Benefit Managers to keep paying for Purdue’s drugs, McKinsey also modeled a rebate concept tied to overdoses and opioid use disorder, including an “attractive option” of paying a rebate in the range of 6,000 to 14,000 dollars for each patient who was harmed. In a 2017 presentation, McKinsey reportedly proposed that Purdue offer rebates for opioid addiction or overdose cases involving its medication, estimating thousands of OxyContin-related incidents and suggesting payments of about 14,810 dollars “per event.”
A rebate. Per overdose. Read on its own, this looks like a routine pricing exercise — the kind of model consultants produce for clients every week. Set against an overdose epidemic, it became indefensible.
Some PowerPoint slides should trigger spellcheck. Others should trigger Legal.
DOJ’s civil False Claims Act theory was that McKinsey’s advice caused false and fraudulent claims for OxyContin to be submitted to Medicare, Medicaid, TRICARE, the Federal Employees Health Benefit Program, and the Veterans Health Administration. McKinsey agreed to pay more than 323 million dollars to resolve this civil False Claims Act allegations/liability.
The Conflict Problem
There was another False Claims Act theory.
DOJ alleged that from 2014 to 2017, McKinsey knowingly misled the FDA by concurrently assigning consultants to work on both FDA projects and competitively sensitive Purdue projects, contrary to McKinsey’s conflict-of-interest policy.
McKinsey had represented to the FDA that consultants serving the FDA would not be assigned to competitively sensitive projects for a significant period after their FDA assignments. McKinsey admitted that it did not tell the FDA those consultants were working on Purdue projects around the same time they were working on the FDA project.
For federal contractors, this is the lesson.
A conflict policy in a proposal, certification, RFP response, or compliance deck can become an enforcement exhibit. Once you sell a control to the government, you have to operate the control. “See slide 14 of our proposal” is rarely the sentence that saves the day.
Making Matters Worse
By July 2018, multiple state attorneys general had sued Purdue, and Massachusetts had become the first state to sue Purdue executives and directors personally. McKinsey was not yet the named defendant it would later become, but its Purdue work was squarely in the zone of risk. Regulators were scrutinizing Purdue’s directors, sales strategy, and opioid marketing practices, and McKinsey had advised on key parts of that strategy. Anyone paying attention could see the exposure building.
Martin Elling was paying attention.
Elling was a senior partner who had served as director of the client services team on roughly 30 McKinsey engagements with Purdue. He was not a junior associate who panicked.
On July 4, 2018, Elling emailed another McKinsey partner after reading that a Purdue board member had been sued by state attorneys general. He wrote:
“Just saw in the FT that [Purdue board member] is being sued by states attorneys general for her role on the [Purdue] Board. It probably makes sense to have a quick conversation with the risk committee to see if we should be doing anything other [than] eliminating all our documents and emails. Suspect not but as things get tougher there someone might turn to us.”
That email survived. A lot of bad corporate facts start with a sentence nobody meant to leave behind.
Five weeks later came the “When home” to-do list.
Forensic analysis later found that Elling deleted Purdue-related materials from his McKinsey-issued laptop and a Purdue-related folder from his Outlook account. The deleted Windows folder was titled “Purdue,” included a subfolder titled “Strategy,” and contained more than 100 items with filenames dating as far back as 2004. The filenames also included the name of Purdue’s former CEO, who pleaded guilty to federal misbranding charges in 2007.
Then, on August 25, 2018, Elling emailed himself another instruction: “Remove Pur[due] folder from garbage[.]”1
There are many ways to make Legal’s day worse. Writing “remove Purdue folder from garbage” to yourself is near the top.
My read: without the deletion, the individual criminal case is much harder. Consulting advice, even ugly consulting advice during a public health emergency, is harder to prove beyond a reasonable doubt. Destroying Purdue files from a corporate laptop while reading about the client’s legal exposure is a cleaner charge.
The Bill
Before this case, no management consulting firm had ever been held criminally responsible for the sales and marketing advice it gave a client. McKinsey was the first. What follows is the bill.
In February 2021, McKinsey paid 573 million dollars to resolve investigations by 47 states, the District of Columbia, and five U.S. territories. The settlement required McKinsey to disclose tens of thousands of internal documents for public disclosure online and stop advising companies on potentially dangerous Schedule II and III narcotics.
In December 2024, McKinsey paid another 650 million dollars to resolve DOJ’s criminal and civil investigation into its Purdue work and entered into a five-year deferred prosecution agreement. The criminal Information charged McKinsey U.S. with felony obstruction and misdemeanor conspiracy tied to aiding and abetting the misbranding of prescription drugs.
McKinsey also entered into HHS-OIG’s first Corporate Integrity Agreement with a management consulting firm, including a Quality Review Program and independent Compliance Expert. A CIA is corporate probation. Companies spend millions trying to avoid one.
In April 2026, a bankruptcy court approved a 125 million dollar McKinsey settlement with Purdue.
The headline numbers now include a 573 million dollar multistate settlement, a 650 million dollar federal resolution, and a 125 million dollar bankruptcy settlement.
That is a very expensive answer to the question: Who knew what, and what did they do next?
What Went Wrong Inside
The easy version is: bad facts, bad emails, bad outcome. The useful version is: several internal systems failed at the same time.
1. Revenue thinking outran risk thinking.
The “turbocharged” work was designed to increase near-term OxyContin revenue. That is normal business language. The problem is what happens when normal business language gets applied to a product, customer base, and public health context that require far more scrutiny.
A company can say “growth.” Prosecutors may hear “pressure campaign.” A company can say “high value.” Prosecutors may ask, “valuable because they were safe, or valuable because they prescribed a lot?”
2. The conflict process did not match the promise.
McKinsey represented to the FDA that consultants serving the FDA would not be assigned to competitively sensitive projects for a significant period after FDA work. DOJ alleged McKinsey assigned consultants to both FDA projects and competitively sensitive Purdue projects around the same time.
If Legal, Compliance, Sales, or Procurement describes a control to a government customer, someone has to own the day-to-day execution. Someone has to test it. Someone has to block the staffing conflict before it happens.
3. Preservation depended too much on individual judgment.
Elling’s emails referenced eliminating documents and later deleting Purdue materials.
That is the nightmare scenario for any GC or CCO: a senior person personally deciding what should exist when litigation risk is obvious.
If your preservation program depends on a busy executive remembering, interpreting, and self-policing the rules, your program is fragile. This is not a McKinsey problem. It is a problem at any firm where senior people manage their own files.
4. The risk committee shows up too late.
The July 4 email mentions a possible conversation with the risk committee. By that point, state attorneys general were already suing Purdue-connected individuals, and the internal discussion was already touching document elimination.
A risk committee that enters only after litigation risk and document elimination are already on the table is being used as a fire department. The better model gives the committee authority to stop work, change scope, require independent review, and document the decision before crisis.
How to Avoid Becoming the Next Cautionary Tale
For GCs, CCOs, CFOs, CHROs, and business leaders, the practical lessons are uncomfortable but simple.
1. Build a “headline review” into high-risk growth projects.
Before approving the strategy, ask what it would look like quoted in a complaint. Which words sound harmless in the deck but dangerous in a filing? Is the project optimizing for revenue in a context that touches safety, patient welfare, public funds, or government trust? Who has the authority to say no? If the answer is nobody, fix that before launch.
2. Treat government-facing promises as controls, not sales language.
If your company tells a regulator, agency, or public-sector customer that it has a conflict policy, staffing screen, firewall, quality review, security process, or independence protocol, treat that statement as an operational commitment. Assign an owner. Track exceptions. Audit the control. Keep evidence. The worst version of a control is the one that sounds great in the proposal and has no owner after signature.
3. Automate litigation holds where possible.
People under pressure make bad preservation decisions. The hold process should not depend on personal judgment by the person closest to the problem. At minimum:
- Legal should issue holds quickly when litigation or investigation risk is reasonably apparent.
- IT should preserve key accounts, devices, shared folders, messaging channels, and cloud repositories.
- Business leaders should receive short, direct instructions in plain English.
- Compliance should test whether preservation actually happened.
- Any deletion request involving a sensitive matter should trigger escalation.
4. Give employees a safe escalation path before they improvise.
The dangerous employee is often the high performer who thinks they are protecting the company, the client, or themselves. Train three reflexes:
- If you are thinking about deleting documents — stop and call Legal.
- If a client asks you to do something that feels like hiding, misleading, or cleaning up the record — stop and call Legal.
- If a deck, model, or recommendation could help someone break the law — stop and call Legal.
That training is not just for junior employees. Senior executives need it more.
5. Make risk ownership real.
If a project touches regulated products, government programs, public health, vulnerable consumers, federal funds, or known enforcement history, risk review needs real authority. Legal, Compliance, Finance, HR where incentives are involved, and an accountable business leader should be in the room before launch. If the review cannot change the work, delay it, or stop it, it is theater.
One More Thing
The most memorable line in the McKinsey case is not from a slide deck or a court filing. It’s that subject line.
“When home.”
Two words that read like someone trying to be careful — and that became among the most incriminating pieces of paper in the prosecution.
A senior partner at McKinsey thought writing a personal to-do list on a corporate email account, naming the client he was about to scrub from his laptop, was a smart way to handle it.
That is the point of Not Good.
The bad moment is rarely announced with a dramatic speech. Sometimes it is a calendar invite. A spreadsheet tab. A staffing decision. A Slack message. A folder name. A personal reminder sent to a work account.
The reason to read this case is not that McKinsey is uniquely bad. It is that McKinsey is uniquely good at the work it does, and this still happened. The firms that learn from this will be the ones that stop assuming “our people would never do that” and start building systems that do not depend on the assumption.
Spot the red flag now. Or read about it in the next issue.
This blog post is for informational purposes only and does not constitute legal advice. The discussion of this matter, including the conduct of any individuals involved, is based solely on publicly available information and court filings. Nothing in this post should be interpreted as a statement of fact about any person’s character, intentions, or actions beyond what has been reported in official sources.
The analysis provided reflects general legal principles and commentary and may not apply to any specific situation. Reading this post does not create an attorney-client relationship with the author or their firm. If you have questions about how these issues may affect your organization, you should consult qualified legal counsel.
The information provided on this website is for general informational purposes only and should not be considered legal advice. No attorney-client relationship is created by accessing or using this website. Please consult with a qualified attorney before making any legal decisions. Global Link Law is not liable for any reliance on the information provided. Prior results do not guarantee a similar outcome.
