How the DQSA Will–And Won’t–Protect The Supply Chain, Part 1

SuperheroThe supply chain provisions contained within the Drug Quality and Security Act (DQSA)—themselves known as the Drug Supply Chain Security Act (DSCSA)—mark a significant achievement by Congress and the industry to protect the U.S. pharmaceutical supply chain from criminals.  It is the first completed attempt since 1987 when the Prescription Drug Marketing Act (PDMA) was enacted by Congress and signed by President Ronald Reagan.  In comparison, the provisions of the DSCSA are much more detailed and extensive than the PDMA and they read as if they were heavily influenced by people who solidly understand the scale and complexity of the legitimate supply chain.  Which, they were, based on the contribution of the Pharmaceutical Distribution Security Alliance (PDSA)—made up of key stakeholders in the supply chain—in their development.  That should ensure that the industry will be able to adopt the technology and process modifications necessary to meet the new law on time.

But will all this also lead to true protection of the supply chain from criminal activities?  Will the DSCSA portion of the DQSA end up presenting new and insurmountable barriers against criminals who game the supply chain to their advantage and thereby putting patients at risk?  These are the true measures of the success of this type of legislation.  How can we know if the DSCSA will have these positive affects?  We could wait for another 10 years and then look back to measure how well it has worked.

I have a better idea.  An idea that I hope was applied before the legislation was written, to inform those who wrote what eventually became the DSCSA and lead them to create the right barriers to crime that would produce the maximum protection for the least cost to both patients and businesses.  Let’s look at the kind of supply chain crimes that have occurred over the last five or six years and figure out what affect the new provisions would have had on those cases.  If we can show that the criminals involved—or allegedly involved—in those cases would have faced early exposure or some other barrier, we might have some confidence that, at least those crime vectors have been addressed.

Of course, criminals are pretty enterprising folks, and when faced with a new barrier, they sometimes come up with new and very creative ways of going around it.  Those are the hardest things to predict and so the look back in ten years is still going to provide the best view of how well the DSCSA has done its job, but who wants to wait?

I have taken a particular interest in U.S. pharmaceutical supply chain crimes over the last 10 years, and I have written essays in RxTrace about some of those that have been in the press over the last 4 ½ years.


The Heparin tampering case was a hot topic in early 2008 when it was still playing out.  The alleged crimes did not take place within the finished goods pharmaceutical supply chain.  Instead, it was a case of tampering with the active pharmaceutical ingredient (API) that manufacturers use to make finished heparin, so why is it included in this list?  The crime was API tampering for profit (the FDA called it “Economically-Motivated Adulteration”, or EMA), but once the API problem was detected, large quantities of Heparin-based finished drugs already in the supply chain needed to be recalled to prevent life-threatening harm to patients.

It was these large-scale follow-on product recalls of time-critical and life-saving importance that demonstrated severe weaknesses in the supply chain’s ability to properly and efficiently execute recalls of almost any kind.  And the Heparin recall was the most complex of any in memory involving dozens of lots spanning multiple manufacturers, and not involving many other lots from those same manufacturers.

The case exposed to the public, State and Federal regulators—and members of Congress—that some kind of action was needed to give supply chain companies and regulators the ability to quickly identify specific drug packages, at least at the lot level, to improve the efficiency of future recalls.

If you don’t think the Heparin case belongs in this list because the crime was not in the finished goods supply chain, look no further than the involvement of the Pew Charitable Trusts in the development of the DSCSA and the larger DQSA.

Pew created a special group that studies the safety of the supply—and which quietly assisted in the development of the DQSA—shortly after the Heparin case broke and that group’s first major publication was the seminal white paper “After Heparin: Protecting Americans from the Risks of Substandard and Counterfeit Drugs” in 2011 (see the RxTrace essay about it:  “Pew Prescription Project: After Heparin”).  In that paper, Pew made the specific recommendations (greatly summarized here) for new regulations aimed at the finished drugs supply chain, all of which appear, in one way or another, in the DSCSA:

  • Serialize all drugs
  • require verification of drug transaction histories
  • Improve standards for wholesaler licensure and oversight
  • Mandate FDA notification when illegitimate drugs are suspected

In this way, the Heparin case has had a big impact on the development of the DSCSA.

How the DSCSA protects the supply chain from this type of crime
The DSCSA won’t have any effect on EMA crimes perpetrated on APIs, but it should have a profound effect on the accuracy and speed of execution of all types of recalls within the pharma supply chain.  This is because the law requires drug manufacturers to include the drug’s lot number in the machine readable 2D barcode that must be applied to all drug packages by November 27, 2017.

Today, most manufacturer labels on homogeneous cases already include the lot number within a barcode, but not the individual drug packages.  Those packages only include the NDC in a machine readable form.  To encode the lot number along with the NDC would have required a longer linear barcode so manufacturers only encode the NDC alone (see “Why NOW Is The Time To Move Away From Linear Barcodes” and “Will The FDA Eliminate The Linear Barcode On Drugs?”).

In the future, with the lot number available in every scan of a barcode, members of the supply chain will be able to include recalled lot checking in their scanning software.  If implemented properly across the supply chain, this will prevent the debacle that occurred after the tainted Heparin was recalled.  Notice that the DSCSA does not require the deployment of this kind of software, but it does enable the benefits that would be available.


Most people probably remember the Avastin crimes that occurred in just the last few years.  RxTrace readers should recall them from reading my essays, “How Counterfeit Avastin Penetrated the U.S. Supply Chain”, “Illegally Imported Drugs Found To Be Counterfeit…Again”, and “Pharma Supply Chain Criminals Get Justice, Part 2”.  There appear to be several separate cases but it is possible that the most recent cases are, in part, just echoes of the original case of illegal importation.  In that original case a licensed drug wholesale distributor in the United States illegally bought Avastin that was labeled for sale in Turkey from a distributor in the U.K..  According to a Reuters article the drug came to the U.K. distributor from a Danish Distributor who bought it from a Swiss Distributor who bought allegedly it from a distributor in Egypt.  No one is sure where it came from before that but some think it did not originate in Egypt but was only passing through.  The trail gets foggy at that point.

Once the drugs were in the hands of the U.S. distributor they were sold to physicians and small medical clinics around the U.S.  It might appear that the U.S. wholesaler is the only American entity to violate U.S. law but, in fact, because the Avastin turned out to be labeled for sale in Turkey or elsewhere, the packages did not have an NDC or other label features required by the FDA.  So anyone who bought the drugs and dispensed them to patients also broke the law.

What makes these cases most interesting—and at the same time, tragic—is the fact that the FDA determined that some of the illegally imported drugs labeled as Avastin, or as the Turkish version “Altuzan”, turned out to be counterfeit.  These units contained none of the active ingredients but the packages were apparently indistinguishable from the real Turkish packages.

How the DSCSA protects the supply chain from this type of crime
I’m not sure the DSCSA will have much impact on this type of crime because the criminal was too close to the end of the supply chain to offer an opportunity to detect and block the introduction of illegitimate drugs into the path to patients.  Notice that the U.S. wholesaler who illegally imported the Avastin knew that the drugs were not regulated by the FDA.  In the future, if they don’t come with the transaction information, transaction history and transaction statement required by the DSCSA and if they don’t have a 2D barcode, will that make any difference to a wholesaler like that?  Probably not.

But also notice that all of the physicians that the wholesaler sold the Avastin to were also either participating in the crime, or at least looking the other way, because the drug packages were clearly not designed for the American market.  No NDC, and the packages had Arabic printed on part of it, but they bought and dispensed the drug anyway.  They must have had more than an inkling that the drug was not legal, for those reasons, and because it was cheaper than Avastin from legitimate sources, but some of them dispensed it to patients anyway.

In the future, when all legitimate drugs must have 2D barcodes on them, and buyers in the supply chain must receive transaction data from the seller, will people like this be willing to look the other way just as readily as they did in this case?  Probably.


Back in early 2010 a group of highly skilled criminals broke into an Eli Lilly distribution center in Enfield, CT in what has become one of the most famous facility theft of any product because the criminals made off with a record-breaking $75 million worth of drugs.  Law enforcement agencies including DEA, ATF, FBI, U.S. Attorney of Florida, Miami-Dade Police Department, Florida Highway Patrol, the U.S. Attorney of Illinois and the U.S. Attorney of New Jersey assisted with the investigation, apprehension and charging in May of 2012 of the master-minds behind the crime.  All of the stolen drugs were recovered before they could be sold.  Read more about the crime and apprehension in “The Built-in Protections Of The U.S. Pharma Supply Chain”.

How the DSCSA protects the supply chain from this type of crime
The DSCSA should have a solid damping effect on those who would contemplate pharmaceutical warehouse burglary such as this in the future.  Once all drugs are serialized and the lot numbers are included in a machine readable form it will be very easy for companies in the legitimate supply chain to check whether or not a given package or case of drugs are on a “stolen” list somewhere by simply scanning it.  That will happen by November 27, 2017.  The DSCSA also requires supply chain participants to deploy systems by next January that will expedite the investigation of suspect drugs so any suspicious offering of a drug known to be stolen recently could cause a criminal to be exposed very quickly.

None of this guarantees that stolen drugs will always be blocked from reentering the legitimate supply chain, or that those that do make it in will be detected, but it will cause criminals to think that maybe it is not worth it anymore to deal in stolen pharmaceuticals.  Maybe they will decide to target some other kind of product—anything but pharmaceuticals.


Back in early 2009 a truck carrying $10.9 million worth of drugs from Novo Nordisk disappeared from its last known location in Conover, NC.  Some of the drugs stolen were Levemir, an injectable insulin that must be kept refrigerated to maintain its potency.  The heist, the investigation and the outcome were chronicled by investigative journalist Katherine Eban in an excellent article in Fortune/CNN Magazine online called “Drug Theft Goes Big”.  I wrote an essay analyzing the supply chain details of the crime that Eban’s article provided (see “Lessons from ‘Drug Theft Goes Big’”).  I followed up the essay with another one that analyzed the reliance on trust in the current supply chain and how it can so easily be exploited (see “Reliance on Trust in the U.S. Pharma Supply Chain”).  Finally, I wrote a third essay on the some of the criminal prosecutions that resulted from this case (see “Pharma Supply Chain Criminals Get Justice”).

My interest in this case comes from the fact that its investigation and prosecution relied on a forged paper pedigree.  In my “Lessons…” essay I explain why even a forged pedigree is a very effective tool for nailing the criminals.  I imagine that the people who forged that pedigree thought they were being so clever, when in actuality they might as well been signing their confessions.  They later plead guilty and went to prison.

The case also includes missed opportunities for stopping the progress of the stolen product once it reentered the legitimate supply chain.  It turns out that Novo Nordisk sent messages to all authorized wholesalers and retail pharmacies informing them of the NDC and lot numbers that were stolen, but a chain pharmacy later bought some of the stolen Levemir.  Unfortunately it was then dispensed to some patients.  Because the criminals failed to keep these units at the proper temperature before they sold it back into the supply chain, adverse reactions occurred in multiple patients.

How the DSCSA protects the supply chain from this type of crime
All of my comments above under the Eli Lilly warehouse theft apply here as well.  The transaction information, history and statements that supply chain members will be required to pass starting next January as part of the DSCSA requirements could be considered equivalent to a pedigree.  Since they will be required (in one form or another) for all drug shipments, criminals like those in this case may find it too treacherous to fake them, just as those in the Levemir case found out the hard way.  Once suspect product is detected in the supply chain this documentation will help to standardize and expedite investigations.  However, I am not yet convinced that it will help to detect criminal introductions in the first place.

The reason is two-fold.  First, the transaction information, history, and even the statements will probably be easily faked (depending on how the FDA interprets the new law).  Second, the law does not require anyone to check the validity of any of the information provided to them by a supplier and so until something triggers some type of suspicion, the crime could go undetected.

That’s largely what happened in the Levemir case.  The forged pedigree did the job the criminals hoped it would, up to a point.  The legitimate buyer of the stolen drugs accepted the forged pedigree and so the criminals got paid for the drugs.  Because no one was required to check the validity of the pedigree nothing was detected until adverse events in patients caused the FDA to become suspicious which led to an investigation and finally to the discovery of that forged pedigree, which the criminals then became sorry they had forged.

So what have we gained with the DSCSA?  Standardized, faster investigations, once they are triggered?  But those investigations still might not be triggered until after some patients are harmed.


Buying pharmaceuticals from patients who were dispensed drugs to treat their personal medical conditions and then packaging them along with those bought from other patients, and then selling them as new drugs back into the legitimate supply chain is a form of diversion and it is illegal.  Workers associated with a small wholesale distributor in Tennessee are accused by the U.S. Department of Justice (DoJ) of doing exactly that.  The case is outlined in the essay “How Pedigrees Protect The Drug Supply: The Case Against Cumberland Distribution”.

In this case, once again, the alleged co-conspirators allegedly thought it would be in their best interest to forge pedigrees so that they could allegedly hide the true source of the drugs they offered to their pharmacy customers.  The case is apparently still being prosecuted and I haven’t heard an update since I wrote the original essay, but if the DoJ wins the case it will likely be due to those allegedly forged pedigrees.

How the DSCSA protects the supply chain from this type of crime
The same comments made about the transaction data under the Levemir case above also apply to this case because it also involves forged pedigrees.  Just like the Levemir case, I am not yet convinced that the DSCSA will have much effect on this type of crime.  Forging transaction data appears to be too easy under the DSCSA, and with no one checking the validity of their contents, criminals may find that they are easy to exploit.  We just have to hope that the faster investigations will always find and punish the criminals.

Pharma supply chain crimes are as diverse as the criminals that execute them.  The criminals are also very creative, finding new vectors whenever they find an old one is blocked.  Let’s hope that the DSCSA is an effective crime fighting tool that will raise the cost to criminals just enough to cause them to look elsewhere, or look for a less risky profession.

Do you believe the DSCSA will protect against these different types of crimes more than I do?  Less than I do?  Leave a comment below.