The internet lit up last week when the U.S. Food and Drug Administration (FDA) posted an announcement that they are aware of counterfeit Avastin in the U.S. pharmaceutical supply chain (see “Counterfeit Version of Avastin in U.S. Distribution” on the FDA website and Genentech’s announcement).
I found out about it when I received notice of Dr. Adam Fein’s (PhD) excellent blog posting “Greedy Physicians Invite Fake Avastin Into the Supply Chain” on his DrugChannels.net blog, but multiple national news agencies picked the story up and many articles were written about it. Most simply reflected the contents in the FDA’s announcement.
But at least one news source seemed to do some additional investigating. Bill Berkrot and John Acher of Reuters published the excellent article “Fake Avastin’s path to U.S. traced to Egypt” on Thursday. In the article they provide a little more background on the path the drugs allegedly took before apparently arriving on the shelves of U.S. physicians and potentially in the bodies of unsuspecting U.S. patients.
And Pharmaceutical Commerce Online reports that Avastin isn’t the only incident of recent counterfeit injectable cancer drugs making it into the U.S. market that the FDA is currently investigating.
HOW COUNTERFEIT AVASTIN MADE IT INTO THE LEGITIMATE U.S. SUPPLY CHAIN
Now keep in mind, this is only investigative journalism so far, and while the information source listed in the Reuters article is the Danish Medicines Agency, criminal investigators may already know more than this and in the end, some or all of the contents of the Reuters article may eventually be found to be untrue. Whether ultimately true or not, here is a drawing that I have constructed to reflect the path that they sketch out. Dashed lines indicate probable sales transactions
As far as we know so far all of these distributors were licensed by some local regulatory agency to buy and sell legitimate prescription drugs somewhere. At least we don’t know otherwise. According to Genentech’s website, the U.S. Distributor that allegedly sold the counterfeit Avastin to 19 medical practices was not authorized by Genentech to sell legitimate Avastin to anyone anywhere. The question is, were they licensed to sell prescription drugs in the locations that the FDA says they did (mostly California but also Texas and Illinois). Local boards of pharmacy will have to investigate that for any potential violations.
It appears that the U.S. distributor that allegedly imported the counterfeit Avastin from the U.K. distributor and who then allegedly sold it to the 19 medical practices may have done so illegally not only because the product was allegedly counterfeit, but also because the product was not labeled for distribution in the U.S. Here are the pictures of the counterfeit Avastin packaging from the FDA website.
The linear barcode on the package contains a GS1 GTIN-13 that is rarely seen in the U.S. on drugs, though it is typical almost everywhere else (especially in Europe). According to the GS1 GEPIR service, the GTIN-13 on the counterfeit packaging uses the GS1 Company Prefix (GCP) that is registered with GS1 Switzerland to F. Hoffmann-La Roche AG of Switzerland. Roche is the parent company of Genentech. Of course, anyone can generate a barcode that uses someone else’s GCP so that doesn’t really mean anything except that the counterfeiters went to the trouble to make it look legitimate by that number.
The full GTIN-13 appears to be meaningless. A Google search of the full GTIN returns nothing. However, the GCP reported by GEPIR is “764012801” which is not composed of an FDA Labeler Code as it must be to be legally distributed in the United States (see my essays “Anatomy of the National Drug Code”, “Anatomy of a GTIN”, and “Depicting an NDC within a GTIN”). There is no U.S. FDA National Drug Code (NDC) on the package or the vial in either human or machine readable forms. Any good packaging expert would be able to find multiple other reasons this packaging doesn’t comply with U.S FDA regulations.
IS THIS JUST THE TIP OF THE ICEBERG?
When you trace backward to find the source of any drug in a lengthy supply chain like this it is an easy trap to assume that you have documented where all of the drugs went. But more than likely you have only found how just one subset of the drugs made it to this particular endpoint. The role of a distribution company is to distribute product. If the Danish Medicines Agency and the FDA are correct, then these drugs that have been discovered in the U.S. supply chain went through at least four distribution companies and maybe five (if you include one in Egypt). What are the odds that each distributor sold their entire inventory of this Avastin to the next distributor? Laughably slim in my opinion.
Here is how I depict what we don’t know. Dashed lines indicate probable and potential sales transactions.
If only a few of these unknown but potential transactions actually took place the problem could be much bigger than we know right now. Hopefully there are intensive investigations going on right now on both sides of the Atlantic. Unfortunately there is no single criminal investigating agency with jurisdiction over all of the places through which these counterfeit drugs allegedly passed. That makes investigations complicated and time consuming. If you were a criminal, wouldn’t you just love that about this kind of international crime?
HOW WOULD VARIOUS SUPPLY CHAIN SECURITY APPROACHES HAVE DEALT WITH THIS EPISODE?
There are discussions and debates going on all over the world about exactly what is the right way to counter the growth in attacks on the legitimate pharmaceutical supply chain. I have selected three approaches that have been discussed in Europe and the United States in recent years. Each of the approaches to supply chain security outlined below requires the application of a globally unique identifier to each drug package by the original manufacturer which is generally considered the first step by most people (see my essay “Anatomy of an FDA SNI“).
Authentication at the Point of Dispense (POD)
The European Federation of Pharmaceutical Industries and Associations (EFPIA) has heavily promoted the concept of Authentication at the Point of Dispense (POD) for years now. This approach is not really an attempt at securing the supply chain itself but instead focuses all protection of patients on medical professionals such as pharmacists, doctors and nurses. These healthcare professionals would need to use a barcode reader and associated internet-connected databases to verify the serialized barcode on each package of drugs at the point of dispensing it to a patient. Thus, if a counterfeit drug made it through the supply chain, it would not be allowed to harm patients because these healthcare professionals would detect it at the last possible moment.
Applied to this specific case the 19 medical practices who are listed in the FDA notice as allegedly having improperly purchased counterfeit and illegally labeled products would have been responsible for scanning the serialized barcode on the counterfeit product just prior to dispensing it to their patients. How likely is that to have happened in this scenario? Hard to say, but considering that these 19 practices had a duty to know that they were allegedly buying from an unauthorized source, and that the packages they received were improperly labeled, but yet they apparently failed to notify any regulatory agency when they received them, I wonder if they would have bothered to perform the authentication step. If they had (and assuming that this product had the necessary serialized barcode on them that would be necessary under a POD system, which they don’t today) then we would hope that the patients would not have been injected with the counterfeit drugs.
POD authentication does not offer any mandatory protections of the supply chain itself. That is, criminals are free to spew counterfeit and stolen product throughout the supply chain, wherever they can find a place that will allow them to introduce illegitimate product into the legitimate supply chain. So nothing would have prevented or slowed any of the four or five distributions, or the potentially many other unknown distributions of this counterfeit Avastin. And by the time the drug is found to be counterfeit the criminal can be long-gone, working somewhere else on their next counterfeit drug. By then their trail has gone cold.
To me, POD authentication is a lovely invitation to criminals to setup shop and go for it. Full steam ahead! Make a killing monetarily but you don’t have to worry about killing patients because POD authentication will ensure that the fake chemicals will eventually be blocked from actually being consumed at the other end of the supply chain. The game is setup to protect the patient…and coincidentally, the criminal.
Like POD Authentication, Patient Authentication doesn’t attempt to protect the supply chain itself but relies on the patient to authenticate each drug prior to injection or ingestion. It provides an additional benefit over POD Authentication by eliminating the need to trust the healthcare professionals to properly source their medicines and to authenticate them on your behalf. The patient is allowed to take drug authentication matters into their own hands.
In the current Avastin situation the 19 medical practices would have provided each of their Avastin patients with the packaging prior to injecting them with it so that those patients could use their cell phones to scan the serialized barcode (or type in a unique code via SMS text messaging) and receive a good/bad message directly from Genentech, the manufacturer.
This approach assumes that the patient has a cell phone with a camera and data service (or SMS feature), knows how to use the authentication service (think of your grandparents doing this…most drugs are consumed in the U.S. by those over 60), and the healthcare professional is willing and able to wait around while the patient interacts with the authentication service in a clinical or emergency room situation. If I were a counterfeiter I would simply counterfeit drugs that are typically administered when patients are unconscious or in fast-paced emergency situations. Who’s going to take the time to authenticate in those situations?
Patient Authentication fails for all of the same reasons, and more, that causes POD Authentication to fail. The biggest failure of both is that they fail to do anything to protect the supply chain and therefore encourage counterfeiters and cargo thieves to do their worst. (See my essays “Illegitimate Drugs In The U.S. Supply Chain: Needle In A Haystack” and “How to Stop Pharmaceutical Cargo Theft“.)
ePedigree is a supply chain protection technology that is invoked at each sales transaction of a drug within the supply chain. It requires each seller of a drug to provide the buyer with access to a standardized and authenticated (signed) history of all prior transactions starting with the original manufacturer of the drug component (irrespective of any repackaging that may have occurred along the way). Each buyer in the supply chain is expected to analyze the ePedigree to confirm that the prior history is valid (through validation of each digital signature) and consistent. All validations are automated and, depending on the model, may be performed centrally or distributed. If any ePedigree is found to be invalid the buyer can refuse to take possession of the drugs and may return them to the seller, and, depending on the problem, may notify the regulatory agency (see my essay “Viability of Global Track & Trace Models”).
The California Pedigree Law is an example of an ePedigree system (see “The California Pedigree Law”, and “California Pedigree Law: Historic Change to Commerce”).
In this way illegitimate drugs of almost any kind can be blocked from moving into and through the legitimate supply chain. Applied to this Avastin case, the very first distribution would have been blocked because the counterfeiter would not be able to provide an ePedigree that matched the product and which contained a digital signature from Genentech. Even if the first distribution would have gone through because the buyer failed to check the ePedigree, the second buyer would have the opportunity to validate it, and so on through the four or five distributors that allegedly owned the Avastin before it reached the 19 medical centers. Every supply chain sale is an opportunity to detect and stop the counterfeit.
Even if we assume that only the United States required an ePedigree back to the manufacturer, the U.S. Distributor in this case would not have been able to sell the counterfeit product to the 19 medical centers, or anyone else in the U.S., because they would not have received a valid ePedigree from the U.K. Distributor. In this way, ePedigree keeps the entire supply chain clear of illegitimate drugs and blocks criminals at every point of introduction and sale.
The one thing that ePedigree cannot protect you from is a criminal healthcare professional who might choose to buy illegitimate drugs directly from the trunk of a criminal’s car or truck. Since those drugs have not passed through the legitimate supply chain they cannot be detected. In my view this can be addressed by stronger penalties for these kind of crimes so that healthcare professionals decide it’s not worth the risk to their careers. That’s already in the works in Congress right now (see my essay “STEP #1: Raise Penalties For Drug Crimes To Reflect The Widespread Harm They Can Inflict”).
As a system-wide supply chain solution ePedigree costs more than POD or Patient Authentication. In particular, distributors need to spend a lot more to deploy and operate an ePedigree solution. POD and Patient Authentication systems only involve the patient, pharmacy or hospital/clinic and the manufacturers. Distributors may choose to participate voluntarily if they want to invest the resources. As in many things, you get what you pay for.
Why didn’t I include “Track & Trace” as a separate approach to securing the supply chain? Because the “Trace” part of “Track and Trace” performs the same role as ePedigree and the “Track” part doesn’t add anything extra to supply chain integrity. See my essay “Terminology: Track and Trace, and Pedigree“.
Which approach to blocking counterfeits like this Avastin case do you think is appropriate for our future? How much should we expect to spend to “solve” this problem? Who should pay for it? Should there be a single, global approach selected or different national approaches that are targeted to the specific problems that exist today in each locale? Leave a comment below.