How Counterfeit Avastin Penetrated the U.S. Supply Chain

Counterfeit Avastin

The internet lit up last week when the U.S. Food and Drug Administration (FDA) posted an announcement that they are aware of counterfeit Avastin in the U.S. pharmaceutical supply chain (see “Counterfeit Version of Avastin in U.S. Distribution” on the FDA website and Genentech’s announcement).

I found out about it when I received notice of Dr. Adam Fein’s (PhD) excellent blog posting “Greedy Physicians Invite Fake Avastin Into the Supply Chain” on his blog, but multiple national news agencies picked the story up and many articles were written about it.  Most simply reflected the contents in the FDA’s announcement.

But at least one news source seemed to do some additional investigating.  Bill Berkrot and John Acher of Reuters published the excellent article “Fake Avastin’s path to U.S. traced to Egypt” on Thursday.  In the article they provide a little more background on the path the drugs allegedly took before apparently arriving on the shelves of U.S. physicians and potentially in the bodies of unsuspecting U.S. patients.

And Pharmaceutical Commerce Online reports that Avastin isn’t the only incident of recent counterfeit injectable cancer drugs making it into the U.S. market that the FDA is currently investigating.


Now keep in mind, this is only investigative journalism so far, and while the information source listed in the Reuters article is the Danish Medicines Agency, criminal investigators may already know more than this and in the end, some or all of the contents of the Reuters article may eventually be found to be untrue.  Whether ultimately true or not, here is a drawing that I have constructed to reflect the path that they sketch out.  Dashed lines indicate probable sales transactions

Click on the image to enlarge.

As far as we know so far all of these distributors were licensed by some local regulatory agency to buy and sell legitimate prescription drugs somewhere.  At least we don’t know otherwise.  According to Genentech’s website, the U.S. Distributor that allegedly sold the counterfeit Avastin to 19 medical practices was not authorized by Genentech to sell legitimate Avastin to anyone anywhere.  The question is, were they licensed to sell prescription drugs in the locations that the FDA says they did (mostly California but also Texas and Illinois).  Local boards of pharmacy will have to investigate that for any potential violations.


It appears that the U.S. distributor that allegedly imported the counterfeit Avastin from the U.K. distributor and who then allegedly sold it to the 19 medical practices may have done so illegally not only because the product was allegedly counterfeit, but also because the product was not labeled for distribution in the U.S.  Here are the pictures of the counterfeit Avastin packaging from the FDA website.

Counterfeit Avastin
Counterfeit Avastin

The linear barcode on the package contains a GS1 GTIN-13 that is rarely seen in the U.S. on drugs, though it is typical almost everywhere else (especially in Europe).  According to the GS1 GEPIR service, the GTIN-13 on the counterfeit packaging uses the GS1 Company Prefix (GCP) that is registered with GS1 Switzerland to F. Hoffmann-La Roche AG of Switzerland.  Roche is the parent company of Genentech.  Of course, anyone can generate a barcode that uses someone else’s GCP so that doesn’t really mean anything except that the counterfeiters went to the trouble to make it look legitimate by that number.

The full GTIN-13 appears to be meaningless.  A Google search of the full GTIN returns nothing.  However, the GCP reported by GEPIR is “764012801” which is not composed of an FDA Labeler Code as it must be to be legally distributed in the United States (see my essays “Anatomy of the National Drug Code”, “Anatomy of a GTIN”, and “Depicting an NDC within a GTIN”).  There is no U.S. FDA National Drug Code (NDC) on the package or the vial in either human or machine readable forms.  Any good packaging expert would be able to find multiple other reasons this packaging doesn’t comply with U.S FDA regulations.


When you trace backward to find the source of any drug in a lengthy supply chain like this it is an easy trap to assume that you have documented where all of the drugs went.  But more than likely you have only found how just one subset of the drugs made it to this particular endpoint.  The role of a distribution company is to distribute product.  If the Danish Medicines Agency and the FDA are correct, then these drugs that have been discovered in the U.S. supply chain went through at least four distribution companies and maybe five (if you include one in Egypt).  What are the odds that each distributor sold their entire inventory of this Avastin to the next distributor?  Laughably slim in my opinion.

Here is how I depict what we don’t know.  Dashed lines indicate probable and potential sales transactions.

Click on image to enlarge

If only a few of these unknown but potential transactions actually took place the problem could be much bigger than we know right now.  Hopefully there are intensive investigations going on right now on both sides of the Atlantic.  Unfortunately there is no single criminal investigating agency with jurisdiction over all of the places through which these counterfeit drugs allegedly passed.  That makes investigations complicated and time consuming.  If you were a criminal, wouldn’t you just love that about this kind of international crime?


There are discussions and debates going on all over the world about exactly what is the right way to counter the growth in attacks on the legitimate pharmaceutical supply chain.  I have selected three approaches that have been discussed in Europe and the United States in recent years.  Each of the approaches to supply chain security outlined below requires the application of a globally unique identifier to each drug package by the original manufacturer which is generally considered the first step by most people (see my essay “Anatomy of an FDA SNI“).

Authentication at the Point of Dispense (POD)
The European Federation of Pharmaceutical Industries and Associations (EFPIA) has heavily promoted the concept of Authentication at the Point of Dispense (POD) for years now.  This approach is not really an attempt at securing the supply chain itself but instead focuses all protection of patients on medical professionals such as pharmacists, doctors and nurses.  These healthcare professionals would need to use a barcode reader and associated internet-connected databases to verify the serialized barcode on each package of drugs at the point of dispensing it to a patient.  Thus, if a counterfeit drug made it through the supply chain, it would not be allowed to harm patients because these healthcare professionals would detect it at the last possible moment.

Applied to this specific case the 19 medical practices who are listed in the FDA notice as allegedly having improperly purchased counterfeit and illegally labeled products would have been responsible for scanning the serialized barcode on the counterfeit product just prior to dispensing it to their patients.  How likely is that to have happened in this scenario?  Hard to say, but considering that these 19 practices had a duty to know that they were allegedly buying from an unauthorized source, and that the packages they received were improperly labeled, but yet they apparently failed to notify any regulatory agency when they received them, I wonder if they would have bothered to perform the authentication step.  If they had (and assuming that this product had the necessary serialized barcode on them that would be necessary under a POD system, which they don’t today) then we would hope that the patients would not have been injected with the counterfeit drugs.

POD authentication does not offer any mandatory protections of the supply chain itself.  That is, criminals are free to spew counterfeit and stolen product throughout the supply chain, wherever they can find a place that will allow them to introduce illegitimate product into the legitimate supply chain.  So nothing would have prevented or slowed any of the four or five distributions, or the potentially many other unknown distributions of this counterfeit Avastin.  And by the time the drug is found to be counterfeit the criminal can be long-gone, working somewhere else on their next counterfeit drug.  By then their trail has gone cold.

To me, POD authentication is a lovely invitation to criminals to setup shop and go for it.  Full steam ahead!  Make a killing monetarily but you don’t have to worry about killing patients because POD authentication will ensure that the fake chemicals will eventually be blocked from actually being consumed at the other end of the supply chain.  The game is setup to protect the patient…and coincidentally, the criminal.

Patient Authentication
Like POD Authentication, Patient Authentication doesn’t attempt to protect the supply chain itself but relies on the patient to authenticate each drug prior to injection or ingestion.  It provides an additional benefit over POD Authentication by eliminating the need to trust the healthcare professionals to properly source their medicines and to authenticate them on your behalf.  The patient is allowed to take drug authentication matters into their own hands.

In the current Avastin situation the 19 medical practices would have provided each of their Avastin patients with the packaging prior to injecting them with it so that those patients could use their cell phones to scan the serialized barcode (or type in a unique code via SMS text messaging) and receive a good/bad message directly from Genentech, the manufacturer.

This approach assumes that the patient has a cell phone with a camera and data service (or SMS feature), knows how to use the authentication service (think of your grandparents doing this…most drugs are consumed in the U.S. by those over 60), and the healthcare professional is willing and able to wait around while the patient interacts with the authentication service in a clinical or emergency room situation.  If I were a counterfeiter I would simply counterfeit drugs that are typically administered when patients are unconscious or in fast-paced emergency situations.  Who’s going to take the time to authenticate in those situations?

Patient Authentication fails for all of the same reasons, and more, that causes POD Authentication to fail.  The biggest failure of both is that they fail to do anything to protect the supply chain and therefore encourage counterfeiters and cargo thieves to do their worst.  (See my essays “Illegitimate Drugs In The U.S. Supply Chain: Needle In A Haystack” and “How to Stop Pharmaceutical Cargo Theft“.)

ePedigree is a supply chain protection technology that is invoked at each sales transaction of a drug within the supply chain.  It requires each seller of a drug to provide the buyer with access to a standardized and authenticated (signed) history of all prior transactions starting with the original manufacturer of the drug component (irrespective of any repackaging that may have occurred along the way).  Each buyer in the supply chain is expected to analyze the ePedigree to confirm that the prior history is valid (through validation of each digital signature) and consistent.  All validations are automated and, depending on the model, may be performed centrally or distributed.  If any ePedigree is found to be invalid the buyer can refuse to take possession of the drugs and may return them to the seller, and, depending on the problem, may notify the regulatory agency (see my essay “Viability of Global Track & Trace Models”).

The California Pedigree Law is an example of an ePedigree system (see “The California Pedigree Law”, and “California Pedigree Law: Historic Change to Commerce”).

In this way illegitimate drugs of almost any kind can be blocked from moving into and through the legitimate supply chain.  Applied to this Avastin case, the very first distribution would have been blocked because the counterfeiter would not be able to provide an ePedigree that matched the product and which contained a digital signature from Genentech.  Even if the first distribution would have gone through because the buyer failed to check the ePedigree, the second buyer would have the opportunity to validate it, and so on through the four or five distributors that allegedly owned the Avastin before it reached the 19 medical centers.  Every supply chain sale is an opportunity to detect and stop the counterfeit.

Even if we assume that only the United States required an ePedigree back to the manufacturer, the U.S. Distributor in this case would not have been able to sell the counterfeit product to the 19 medical centers, or anyone else in the U.S., because they would not have received a valid ePedigree from the U.K. Distributor.  In this way, ePedigree keeps the entire supply chain clear of illegitimate drugs and blocks criminals at every point of introduction and sale.

The one thing that ePedigree cannot protect you from is a criminal healthcare professional who might choose to buy illegitimate drugs directly from the trunk of a criminal’s car or truck.  Since those drugs have not passed through the legitimate supply chain they cannot be detected.  In my view this can be addressed by stronger penalties for these kind of crimes so that healthcare professionals decide it’s not worth the risk to their careers.  That’s already in the works in Congress right now (see my essay “STEP #1: Raise Penalties For Drug Crimes To Reflect The Widespread Harm They Can Inflict”).

As a system-wide supply chain solution ePedigree costs more than POD or Patient Authentication.  In particular, distributors need to spend a lot more to deploy and operate an ePedigree solution.  POD and Patient Authentication systems only involve the patient, pharmacy or hospital/clinic and the manufacturers.  Distributors may choose to participate voluntarily if they want to invest the resources.  As in many things, you get what you pay for.

Why didn’t I include “Track & Trace” as a separate approach to securing the supply chain?  Because the “Trace” part of “Track and Trace” performs the same role as ePedigree and the “Track” part doesn’t add anything extra to supply chain integrity.  See my essay “Terminology: Track and Trace, and Pedigree“.

Which approach to blocking counterfeits like this Avastin case do you think is appropriate for our future?  How much should we expect to spend to “solve” this problem?  Who should pay for it?  Should there be a single, global approach selected or different national approaches that are targeted to the specific problems that exist today in each locale?  Leave a comment below.


20 thoughts on “How Counterfeit Avastin Penetrated the U.S. Supply Chain”

  1. Dirk – Do you have information on a drug’s typical path through the supply chain? I would expect this to vary by drug, or more generally, a drug’s class as defined by its characteristics. The first question that comes to mind when I view your diagrams is, “Is it normal for a drug like Avastin to go through such a distribution chain?” An atypical traversal of the chain would point to a potentially problematic transaction. An analysis of a drug’s pathway to a provider brings up an additional benefit of ePedigrees in that they provide a basis for statistical analysis.

    1. CS,
      Thank for your comment. I can’t offer any specific information about how drugs move through the supply chain except, as others have already pointed out, Avastin’s distribution in the U.S. appears intended to be fairly well controlled by their authorizations based on class of trade. The path that this drug allegedly took is certainly very unusual and, if it had been known to each of the distributors in the chain, should have been a red flag. That’s one of the purposes of a pedigree. To provide each buyer of a drug in the supply chain a way to confidently see where the drugs have been before they make the purchase final. Doing a statistical analysis of each pedigree (or at some sampling frequency) received by a provider would be a great idea, although I think if the pedigree model is designed well it should have enough trust elements built into it that most companies would simply do a standard pedigree validation rather than also doing a statistical analysis on them.


  2. Excellent overview of this shameful story, Dirk.

    As I see it, none of the three approaches would have worked because the US distributor was obtaining the product from an unauthorized source.

    The supply chain for a specialty drug with a limited network (like Avastin) is very simple: manufacturer–>authorized distributor–>medical practice. ANYTHING outside of that channel is diversion.

    In this case, the medical practices purchased from a non-authorized distributor, which had purchased from a non-authorized source (i.e., not the manufacturer), and so on. Why would anyone in this criminal chain of negligence have bothered to scan or authenticate anything?

    I’ll have more to say on this topic tomorrow on Drug Channels.


    1. Adam,
      Thanks for your comment. You make a good point. None of these systems can check on the authorization status of a supplier or do anything based on the number of previous owners. That’s up to each buyer to determine. But we’re talking about two different things: whether or not the source was valid/authorized by the manufacturer, and whether or not the drugs are counterfeit (or otherwise illegitimate). If a buyer in the supply chain chooses to buy from an unauthorized source a pedigree will not stop them, but it will tell them a lot about where the drug had been prior to their acquiring it and from that they can tell if they are legitimate or not. If there was even just a single honest distributor in this alleged chain (I’d like to think there are multiple) a properly constructed electronic pedigree model should have caught the counterfeit drugs well before the U.S. distributor acquired them.


  3. Dirk:

    Your last paragraph is the big question? Who wants to give up profits and/or pay more for drugs?

    The CA Pedigree Law through 2017, if not delayed or pre-empted by the Feds, will ultimately force the issue of “who pays”?

    Unfortunately, I believe that Medicare (our tax dollars)and private insurance (our co-pays/deductibles/premiums)will fund supply chain technology. Also, we can expect further reductions in Rx coverages, again! Eventually, we will end up with a Rx system with boutique meds on one side and $5 generics on the other. The “Quality of Care” motto will have to be replaced for most of us.

  4. Dirk,

    Good summary, Dirk, and thanks for the shout out about Pharmaceutical Commerce. The FDA document where I picked up mention of *other* possible counterfeit intrusions is here:

    The odd thing about this is that it’s dated Jan. 13, but appears to have been posted at FDA only last week.

    I think you’re right that it is wrong to assume that only the 19 clinics already notified by FDA are the end of the chain here; I also note that at least one of these clinics says that it stopped accepting drug back in July.

    To your point about pedigree, and somewhat indirectly to Adam’s about channel diversion: some states’ pedigree rules define a “normal” chain of distribution, specifying authorized wholesaler to authorized pharmacy to, presumably, the patient (and any movement outside this requires a paper pedigree). I believe I’m correct in saying that only some states include “doctor” at the end of this chain, and in any case, many specialty pharmaceuticals need an intermediate compounding (and possibly repackaging) step. What this points to is that the “normal” chain only exists some of the time for some drugs.

    Also, as FDA noted in its documents, this diversion, for the somewhat uninformed, can slip into discussion of drug shortages and purported hoarding by nonauthorized distributors. While undoubtedly that is occurring some of the time, in some places, it is also true that there are disconnects between the authorized distributors and the market. The secondary wholesalers serve a meaningful purpose by locating those disconnects and delivering product to clinics that otherwise can’t get them. A “non-authorized” distributor is *not* automatically a “criminal” distributor.

    1. Nick,
      Thanks for the great additional information and comment. I just wanted to submit a quick reply to clarify that I did not mean to imply that “non-authorized” was equal to “criminal”. I noted that the U.S. Distributor was not authorized by Genentech (according to their website) to distribute Avastin anywhere, and then I said “The question is, were they licensed to sell prescription drugs in the locations that the FDA says they did (mostly California but also Texas and Illinois).” If they were licensed by the state boards of pharmacy to distribute in the locations the FDA alleges that they did then the remaining question is why did they buy and sell drugs that were not properly labeled for sale in the U.S.?


      1. Let’s not sugar coat the truth…Volunteer had no business buying Avastin from an overseas source and was not authorized to resell it to physician practices. All secondary distributors are not criminal, but this one sure looks to be.

    2. Hi Nick,

      On a related note, according to this article ( published on Feb 15, there appears to have been another off-shore connection in the supply chain: Quality Speciality Products located on the Island of St Kitts in the West Indies. Curiously, this company was cc’d on all the 19 notices sent out by FDA (for example, look at the last line of this letter


  5. What’s really needed is a combination of patient authentication (patient can verify), insurance authentication (ensures they are paying for the real deal), and ePedigree (so they can prosecute any instances such as what happened with Avastin).

    1. Blah,
      Thanks for your comment. That’s a rational thought. I still don’t think that patients in the U.S. will bother verifying their medications except for a few weeks after some incident like the current one, but giving them that option isn’t a bad idea. I know there are people who are concerned about loss of faith in the quality of their medications leading large numbers of patients to stop taking their prescriptions, all simply because someone told them that they could check the validity of their drugs. “What? You mean I can’t trust that my medications are valid?”.


  6. Hi Dirk,

    As always, you stimulate a great discussion.

    My question for you is, could this have happened in a country that already requires serialization for drugs (Turkey, Italy, Belgium, etc.)?

    What would be different in that model?


    1. Judy,
      Thanks for your comment and the kind words. You raise an excellent question. I think the only way for it to happen would be if an authorized importer to one of those countries acquired counterfeit drugs (inadvertently or not) and then submitted them for application of the National identifier/label/seal. I don’t know enough specifics about how these countries control what can be accepted and how they know they are not counterfeits already. Perhaps someone who knows the answer can submit a comment to inform us. It’s a great question. Thanks again.


  7. So the whole ePedigree concept seems like a game of Hot Potato — where the last one holding the counterfeit goods is the loser. Each supply-chain participant trusts their supplier as long as the ePedigree checks out. These companies have the technical infrastructure to perform real-time checks against Track & Trace systems. But the Patient has neither the acumen nor tools to verify an ePedigree. To have someone act on the Patient’s behalf, can the chain be extended one more hop to the Payer? This party has the technology and motivation to verify ePedigree data for their customers.

    This model could grow from an after-the-fact check to a real-time point of sale requirement. Pharmacies have already integrated their P.O.S. systems with Payers. They would only need to supply the additional serialized data along that path. The Payers could incentivize the Pharmacies by paying more for serialized information. The Payer can use these serialized drug records to participate in recalls, notices, etc.

    I believe one hole in Track & Trace models is how they end at the Pharmacy. What I’m proposing is to extend the coverage past the Pharmacy, without requiring a change in the public’s behavior. There are certainly edge cases where this is less-than-perfect. Having the Payers act on behalf of the patients seems a lot better than letting them fend for themselves.

    1. EricB,
      Thanks for your comment. ePedigree is not quite like a game of Hot Potato and let me use your analogy to explain why. With a well-designed ePedigree system each buyer of a potato would be allowed to check to see how “hot” each potato is before they actually finish buying it. If the potato is “hot”, the buyer can refuse to accept it and can return it to the current owner. Thus the person who is trying to introduce the hot potato into the chain cannot unload it and so they are left holding it and therefore become “the loser”.

      But you are right, if buyers choose to buy their drugs without checking the validity of the pedigrees they are given, they might end up with the “hot potato” that they cannot sell if it turns out to have a bad pedigree. So a pedigree system relies on everyone checking the pedigrees before they accept the drugs. A properly designed ePedigree model will automate the pedigree checks so the impact on supply chain operation–a big potential problem–is minimized.

      Pedigree information may have value beyond the back door of a pharmacy but their purpose is to protect supply chain transactions. Once the end of the supply chain is reached any additional benefits simply add to that ROI.


    2. Eric,
      I think you are on the right track. Pharmacies are willing to invest millions of dollars on adjudication systems to process claims yet balk at the idea of authenticating a drug. There is no profit in it for them. Making it part of the claims process would change their attitude.

  8. Dear Mr. Rodgers

    Your article and research was very enlightening and thank you for taking the time to publish it.

    I would like to mention that the company I work for, Kezzler AS is currently providing a SMS verification solution very similar to the one you described in your article specifically for Avastin in India. When we were asked to assist Roche they were faced with a problem similar to the one occurring in the United States today but of greater magnitude. The Kezzler solution was implemented about five years ago and there has not been a single reported counterfeit over the last three years – according to Roche.

    In addition, it is not only the patients but increasingly it is the doctors, nurses, hospitals and clinics that are more becoming more involved in the verification process. This is especially important for the Roche in India as they are the ones administering these injectible drugs.

    The net effect of this is that the counterfeiters have turned their attention other markets where the supply chain is less secure. It is, unfortunately, a common misconception that the supply chains in the USA and Europe are secure but multiple incidents have shown this not to be the case

    Our solution does provide a comprehensive supply-chain traceability and product control process. However, the final and most critical component is to provide the ability to verify the product via SMS or the internet. This capability is used by many other Pharma companies and Kezzler provides the same solution in different parts of the world.

    It seems somewhat ironic then that although they have managed to eradicate the problem in emerging markets that the same companies often fail to implement such simple yet proven technologies to address these issues in their home markets.

  9. Great article Dirk.
    Self-evident perhaps, but IMO ePedigree comes close to providing the security that we all expect.

  10. On March 15, at noon, PSM will be holding a Congressional briefing at the Capitol Visitor’s Center in Room HVC-201 entitled, “Moving Beyond the Avastin Incident: The Continued Impact of Counterfeit Drugs in the United States.”

    Register here:

    It is free, lunch will be provided, and Joel White on behalf of PSM will moderate talks by Lieutenant Commander Connie Jung of the FDA who will present “What Government Needs to Best to Protect the U.S. Supply Chain.” Also speaking will be Shay Reid of PDSA, presenting, “Safeguarding U.S. Citizens from Counterfeit Drugs.”

    As you know PDSA recent submitted a proposal for the Pharmaceutical Traceability Enhancement Code Act.

  11. Hi Dirk,
    It’s a good article which highlights the potential path which counterfeit drug can take. The suggested solutions cannot solve counterfeit drugs problem but yes they can be deterrent to the problem.
    My personal view is that that e-Pedigree as a solution is a very cost intensive solution. This approach is very difficult to implement and maintain for all the partners due to lack of standards related to data exchange and due to point to point data exchange between the business partners in the supply chain. example: if manufacturer has to send a e-pedigree with one distributor who inturn sells it to one pharmacy then in such a scenario e-pedigree is a good solution on paper. But when the manufacturer starts to exchange the data with ‘n’ partners then effort gets multiplied accordingly and from operational perspective having those many secure communications with partner is an operational nightmare.

    Countries should take some learning’s out of China and Turkey laws and systems where the data is in control of the government. Government systems acts as message broker and verifier for every movement of the product between the partners.

    There is need of well defined standards for the data exchange and a broker system which helps the supply chain partners exchange the data. A broker system should play a role of collecting, verifying and distributing the data between the partners.

    Good thing is that the all across the world government bodies are looking for deterrent laws to stop the menace. Solution and standards will be developed as now the problem statement is there.

Comments are closed.