A steady stream of reports concerning the appearance of counterfeit medicines has rocked India in recent weeks. The most worrying aspect of these reports is that the fake medicines contain fully-functional QR codes that mimic the anti-counterfeiting program introduced by the Health Ministry as a way to verify drug authenticity. In an article published here ten days back, I provided a detailed account of a most worrying case where counterfeiters succeeded in acquiring batch-specific serial numbers of Sun Pharma’s anti-epileptic drug Levipil 500, which were then embedded into QR codes on fake packages. Those serial numbers in turn would confirm the drug’s authenticity after QR scanning, thus providing false reassurance to the patient.
The Gujarat Food and Drug Control Administration (FDCA) has now updated its original findings in this case. FDCA Commissioner Dr. Hemant Koshia, who has been leading this investigation, now reports further troubling developments, as follows:
- four batches of counterfeit Levipil 500 have thus far been found, totaling 850 strips;
- the incident represents a first-of-its-kind operation involving interstate trade of counterfeit drugs with active QR codes encompassing at least six states as of now | Delhi-NCR, Gujarat, Madhya Pradesh, Maharashtra, Uttar Pradesh and West Bengal;
- the operation involved a sophisticated nexus of 8-10 distributors in Gujarat alone;
- the scale and complexity of the counterfeiting effort suggests involvement of an organised cybercriminal network that engaged in data theft;
- the Sun Pharma case reinforces concerns about security of the government-mandated QR coding requirement and its vulnerability to tampering.
A case study in hard lessons
A remarkable finding on revisiting this issue now is that counterfeit packs from all four compromised batches of Levipil 500 continue to be successfully validated after a scan of their QR codes. The accompanying figure shows screenshots from three of those batches (batch numbers are circled in red). The most disturbing finding is that serial numbers (circled in blue), which are the actual tool for product validation, still remain active as evidenced by appearance of the product’s key details after a scan. In other words, these QR codes continue to mislead consumers even though it is has been known to Sun Pharma and its solution provider (PharmaSecure, Inc.) for some time that those very codes have been compromised and placed on fake products.
Another example of the shambolic handling of this case is that scanning a fake product actually returns an affirmative message of product authenticity (red arrows). It can be seen that the screenshot in Example one displays the notification This is a Genuine Pack. A more declarative statement is offered for the same product but from a later batch by way of This Product is GENUINE (Example 2), with specific emphasis on the adjective.
It is difficult to understand why Sun Pharma and PharmaSecure would continue to provide such confirmatory responses after becoming aware for more than two weeks that not only is this drug the target of a major counterfeiting attack but more so when they were both fully cognisant of the exact batch and serial numbers that had been compromised. Notwithstanding the poor practice of declaring authenticity in general [2], the continued projection here of a fake medicine being authentic with full foreknowledge of the facts represents a level of incompetence (or perhaps indifference) that is rarely seen in our modern era of corporate accountability.
An interesting outcome takes place when the same code is validated multiple times, as shown in Example 3 of the figure (green arrow). The consumer is now informed that the code on that product had already been scanned. This is actually a positive feature [3]. However, this message will only appear after multiple validations have been made and therefore the original product and its digital twin, the counterfeit version, will both generate an assurance of product authenticity (i.e., one of the red-arrowed texts). The message of excessive attempts, however, is a benign notice that will likely be ignored by most consumers.
A prescription for Sun Pharma
Medicines represent one of the most sensitive products we purchase and consume, and therefore drug makers have the heavy burden not only to adhere to best practices in all aspects of the manufacturing and distribution process, but also in principled conduct when something goes wrong. And something has gone wrong with Sun Pharma here in a very big way.
There are three clear and present actions that must be undertaken by Sun Pharma with utmost urgency.
1) Lock the codes
The company has already failed its first big test on how to react to the Levipil incident by maintaining the active status of serial numbers on the four affected batches. As noted above, this grievous error continues to produce false reassurance through the illusion of authenticity on a verifiably fake product. That should not happen, and in fact Sun Pharma should have directed PharmaSecure to immediately freeze all serial numbers on the affected batches. That evidently did not happen, or alternatively the demand was not implemented. Either failure cannot continue.
Effective immediately, Sun Pharma must inactivate all serial numbers associated with the four batches of Levipil 500 that are known to have been compromised thus far — namely, GTF0885A, GTF1456A, GTF1540A and GTF3432A. To be precise, a scan of the QR code on any blister pack associated with those four batches must not return an affirmative notice or any product information. Instead, what should follow is a clear communication that the patient is not to consume that medicine due to the possibility of tampering, accompanied by a commonly used visual flag such as an exclamation mark, alert icon, danger sign or similar.
As of the submission of this article, QR codes on fake Levipil packages were all still active and returned a message of authenticity. Sun Pharma needs to flip that switch off right away. I have attached the QR code at the bottom of each screenshot in the figure above for that specific fake product, allowing readers and regulators to confirm themselves when the codes have actually been inactivated. The more inquisitive examiners may wish to test the link in the QR code from any of the other thirty-five fake products that I had originally reviewed [4].
2) Order a voluntary recall
The act of freezing the codes from the above step will ensure that false information is not propagated to any patient who chances upon a fake variant and scans its QR code. However, that feat alone will not remove the many fake Levipil products that are still circulating in the market, having penetrated at least six states now and likely others. As argued in my last article, the criminals behind this atrocity did not spend vast sums of money to create a near-perfect replica of an original Levipil pack along with sophisticated digital reproduction to then restrict their distribution activity to a confined area. This is undoubtedly a large-scale attack with a national footprint.
Sun Pharma must now be resolute in minimising harm from fake versions of its product. The only way to do so is to immediately undertake a voluntary recall of all Levipil 500 products belonging to the four identified batches thus far. There must be no further delay in this action because each passing day will create the possibility of serious health outcomes from ingesting fake Levipil. That adversity will also represent possible liability to the company, given that it has known about this problem for some time. In fact, the lack of a voluntary recall thus far is surprising given that details of the attack on Levipil 500 have been in the public domain for some time now.
Drug regulators across India will undoubtedly be vigilant now to ensure other batches have not been compromised. That possibility is quite high in my view. The three batches of fake Levipil shown in the figure were manufactured in April and May 2024. The fourth batch (not shown) was manufactured in November 2024. It is not likely that any of the intervening batches or even subsequent ones were spared, leading to the disturbing possibility that fake versions from those other batches have not yet been discovered. To add to the anxiety, any of the other twenty medicines from Sun Pharma’s portfolio in the government’s top 300 list requiring QR coding could also have been compromised. That conjecture is derived from a simple question — would the perpetrators of this brazen and sophisticated act of digital theft have stopped at just one product, and that too on a mere four batches?
Commissioner Koshia has advised the Drugs Controller General of India, the nation’s top drug regulator as well as state regulators across the country of the situation with Levipil 500 to undertake close surveillance of the marketplace. The possibility exists that a Levipil recall may be enlarged to even encompass a total one. That would be a sure way to remove all counterfeit versions from the market.
There is however one final action that Sun Pharma must undertake, as taken up next.
3) Understand (and report) how this happened
As speculated in my last article, which Commissioner Koshia has now come to conclude, the likely means by which the perpetrators pulled off this feat was through digital theft of active codes. Furthermore, those codes (i.e., serial numbers) must have been specific to each batch because the scan outcome returns the batch number on the screen, which corresponds to the printed version on the blister pack. Thus, the theft did not involve just a bank of unaffiliated codes but rather those that were specifically generated for a particular batch. It is in this manner that the serial number to batch number correspondence is attained. In many ways, this is the perfect crime because every code in the market, both on a real and fake product, will be positively verified and return the correct batch number as well.
A major unanswered question then is how did this theft happen, and at which location — i.e., the solution provider (PharmaSecure) or the packaging site (Sun Pharma plant in Assam). From my experience in setting up authentication and traceability programs in India over many years, I came to discover that solution providers here generally take a casual approach to delivering sensitive data, and most notably the serial numbers. These are important digital assets that if compromised can be easily misused by third parties, including placement on fake products. It is critically important that utmost care be taken to generate, transmit, maintain and print serial numbers in a secure manner. I would often discover openly visible serial numbers on monitors at packaging lines where the codes were taken from spreadsheets delivered via email. A digital operation of this kind is an open invitation to theft.
It is therefore incumbent upon Sun Pharma to undertake a root cause analysis of this situation and determine what lapses or loopholes might exist in code generation, handling and transmission by PharmaSecure, as well as the way serialised data is received, maintained and used at its plants. A leak of sensitive digital assets represents a major security breach whose source identification is essential for avoiding future mishaps.
It would also be highly prudent for Sun Pharma to be fully transparent and disclose its findings so that other drug makers become aware of the counterfeiter’s modus operandi in this case. Progress in best practices for any industry is reliant upon continuous learning that should be openly shared, especially with sensitive products such as medicines, rather than being confined to a corporate silo.
Synthesis
Commissioner Koshia has communicated his deep concerns to the central government about the QR coding program and its vulnerability to tampering. The Levipil case is a perfect exemplar of the ease with which criminals who have now become highly sophisticated can bring this program to its knees. It may also be the case that the various solution providers currently engaged with drug makers in India’s QR coding program are too wedded to their earlier primitive practices, which now make them nakedly vulnerable to a new crop of sophisticated cybercriminals. A theft of this kind should never happen, and that is another reason why Sun Pharma must openly divulge its findings on the root cause.
Security specialists the world over have long known about the vulnerabilities of QR codes, notwithstanding the increasingly rare appearance of naïve arguments to the contrary. The Levipil episode illustrates just one example of how India’s QR coding program ostensibly introduced to protect consumers could be so easily compromised, with devastating outcomes now for the brand owner and more importantly patients who were duped into false reassurance. It is a certainty that there will be many other such episodes because as I have argued, the QR code after all is a gift to the counterfeiter.
References
[1] https://www.expresspharma.in/a-troubling-new-development-in-indias-qr-code-saga/
[2] https://www.securingindustry.com/pharmaceuticals/india-s-drug-qr-coding-programme-anatomy-of-a-debacle/s40/a16877/
[3] https://www.securingindustry.com/pharmaceuticals/india-s-qr-code-programme-part-2-rating-the-drug-makers/s40/a16919/
[4] https://app.box.com/s/8fymvhvnlqhlr6b8o3ilwsrd3ec5f2w4