India's drug QR coding programme – anatomy of a debacle

India is again making news in the pharmaceutical sector, but for all the wrong reasons.

A sudden increase in counterfeit medicines, by some estimates as much as 50 per cent since the end of the COVID-19 pandemic, is plaguing the country and especially the northeastern Bengal region [1]. Recent raids on warehouses and retail facilities led to the discovery of 66m Indian rupees ($760,000) worth of fake drugs across multiple therapeutic areas [2].

India has long struggled to contain its fake drug problem in the domestic market, which has only compounded its unfortunate growing reputation as a supplier of substandard export drugs, especially to Africa [3,4].

In an attempt to contain the problem at home, the Indian Ministry of Health and Family Welfare issued a mandate in 2023 requiring the top 300 drug brands to print a QR code that when scanned by consumers would provide key information such as the brand name, manufacturer details, batch number, and expiry date [5].

The effort was widely hailed by various parties, with some rushing to proclaim that the scourge of fake medicines in India will soon be relegated to a bygone era [6-8].

It has now emerged that the very QR code meant to protect Indian consumers has itself been compromised through copied versions appearing on fake medicines [9,10]. This is not the least bit surprising because it is expected that counterfeiters will use every means to try to defeat a new product security system. What is surprising however is how easy it is to trick the Indian programme to actually prevent counterfeit detection.

The design flaws in the programme were apparent as early as 2018 when the framework was being conceptualized [11]. A series of published articles then raised further alarm during the stakeholder engagement period prior to the programme's launch [12-14].

Here, I provide a detailed explanation of critical flaws in the Indian programme using actual examples of QR-coded products from the market, now that the mandate has been implemented without revision. The discussion will revolve around five specific case studies using product exemplars that display different approaches to implementation. I hope to make clear that both design and deployment deficits in India's barcoding programme have created a gift to the counterfeiter, resulting now in a serious threat to public safety.

Case study 1 - serial number-based QR code

The first case study is based on a medicine that has actually been counterfeited and discovered in a recent raid in Kolkata [15]. The product is Telma AM (manufactured by Glenmark), a well-known blood pressure medicine that is sold to customers as a 15-tablet blister pack (Figure 1A). The QR code along with associated text is printed on the right side of the blister (Figure 1B).

It is instructive to first understand the content of the QR code in this specific example, which is shown in the figure in blue text. There are three specific components — a link to the manufacturer's website, a 14-digit drug code (found after the /01/ identifier) and a unique alphanumeric serial number (found after the /21/ identifier).

The drug code is common to all packages of this SKU whereas each individual blister pack has its own unique serial number. The customer is automatically directed to the drug maker's site upon scanning the QR code, whereupon the drug code is used to retrieve the data associated with it. If the serial number happens to be a match, the drug data is then pushed to the user's smartphone and appears on the screen (Figure 1C).

Although serialized barcoding was once viewed as an effective protocol for drug protection, it is no longer accepted to be a secure format [16]. The reason is that counterfeiters can easily copy the QR code's content from a genuine product in the marketplace and then replicate that on fake variants. The system at the backend cannot distinguish whether the incoming signal is from a genuine or counterfeit package; both signals are identical and since the serial number happens to match one that was issued by the company, the drug is deemed to be safe and the information associated with it is pushed to the customer.

The danger here is that a customer is reassured in having obtained a genuine drug even with a counterfeit variant. This issue is taken up further in Case study 4. To make matters worse, the Indian programme uses an open-format QR protocol that makes it highly susceptible to compromise [17]. It is not known how many fake medicine packs have escaped into the consumer market [18]. The printed QR code on those packages will not help inspectors to discern if they are genuine or fake, having to rely instead on forensic testing for confirmation.

Case study 2 — batch number-based QR code

The next case study illustrates how the poorly designed QR testing framework can make drug counterfeiting even easier than in the previous case. There are many products that fall in this category and therefore the case study here is meant only to be illustrative of a much larger and serious problem.

The exemplar for this case is the imported global blockbuster Jardiance 10 mg (marketed by Boehringer Ingelheim). The drug is distributed to pharmacies via a secondary carton (Figure 2A) containing nine blister packs of 10 tablets in each (Figure 2B). The customer-facing pack is the blister and therefore the QR code appears there, though this is strictly not required under the Indian mandate.

It is however the content of the QR code that is especially worrisome here. The embedded content, as shown by the blue text, contains a link to the manufacturer along with the drug code, as before. However, the serial number is now replaced by the batch number, which appears after the identifier /10/ in the code's content. In other words, the batch number, which encompasses thousands of blister packs collectively, replaces the individual blister's unique serial number seen in the first case study. The operation in the backend unfolds the same way. The drug code is used to retrieve the data associated with it and then pushed to the user's Smartphone so long as the batch number is a match (Figure 2D).

The counterfeiter can have a field day with products that follow this coding scheme because rather than having a unique serial number be the determinant of a successful match, that process is now relegated to matching the batch number. Whereas a serial number is specific to a single package, a batch number on the other hand can represent many thousands of packages. Mass replication of the QR code from a single genuine package that employs a serial number construct has a greater chance of detection because that same number would then be authenticated at multiple places at different times, and therefore raise a flag to the brand owner.

The probability of detecting a fake product under a batch number lookup system is negligible because of the many packages clubbed under it. It is fundamentally unknowable in this case whether multiple successful authentications arise due to the same QR code appearing on many fake packs or whether many different customers are authenticating genuine packs from that same batch.

It is therefore simply not possible to detect a fake medicine through this type of QR code construction. In fact, the counterfeiter can even incorporate the batch number-based QR code as part of the static artwork on its blisters and therefore have a better appearing code than even the brand owner [19]. And those blisters will always be positively authenticated all the while buyers of those products are actually ingesting a fake medicine.

The illusory scan outcomes here are allowed to take place because the Indian mandate does not forbid product authentication through its batch number. The only requirement is that the drug details somehow appear on the screen after a QR code scan. There was no forethought as to how such a protocol could be so easily compromised and how difficult it would then be to arrest the problem.

Case study 3 — static QR code

The problems outlined in the prior case study are much worse with this exemplar because the theoretical printing of a static QR code is actually a reality here. The product for this case study is the blockbuster diabetes drug Januvia 100 mg (manufactured by MSD). The drug tablets are contained in a blister pack that in turn is placed singly inside a carton (Figure 3A). The QR code can be found on the carton's top surface and appears as a sharp high-contrast print (Figure 3B).

The reason for this high level of print quality is that the QR code is actually part of the package artwork. Unlike the prior two case studies where the code was dynamically printed on the packaging line so that it could have the serial number and batch number respectively from that production, this product has a fixed QR code that is identical on each and every carton. The same holds true for the blister pack inside, which also has the same printed code. The suppliers for both the carton and foil have incorporated the QR code into its printing plates, which in turn yields large volumes of identical high-quality print matter. And that in turn creates an even more welcoming opportunity to the counterfeiters.

The QR code in this case merely contains a link to the drug maker's site, as shown by the blue text in the figure. The same content is found in all printed QR codes for this product. Scanning the code opens up a window where the user is asked to enter the batch number (Figure 3C), which in turn is found on one of the carton's side flaps (Figure 3D). Once a correct batch number is entered, the user is sent the drug details (Figure 3E), thereby complying with the regulatory mandate. This programme is therefore also based on batch number lookup, as in the previous case study. However, rather than have that number incorporated into the QR code, the user must enter it manually here.

This situation represents an ideal scenario to counterfeiters because their fake packages need only have the QR code as shown in Figure 3B incorporated into the artwork. There is no need for the more arduous task of printing a variable QR code, either based on a unique serial number (as in Case study 1) or batch number (as in Case study 2). The counterfeiter must only ensure that a correct batch number appears on the fake package side flap through the much easier process of ink jet printing, embossing or similar means.

The situation in this case study therefore suffers from all the fatal flaws associated with batch number-based verification as above, with the added benefit of a static QR code. Counterfeiters only need to periodically find product packages in the market with updated batch numbers. And even that may not be necessary because many manufacturers use a sequential system for generating batch numbers. In this example, a range of batch numbers that bracket the actual value from the example above were all found to be valid — jvc24015, jvc24016, jvc24017, jvc24018, jvc24019. A simple simulation through a web browser using the link below will show how trivial it is to defeat this system.

https://msdqrc.in/info/januvia/

Counterfeiters can therefore incorporate a variety of correct batch numbers on literally millions of fake packages moving forward, with all of them producing the illusion of a successful verification.

Case study 4 — false reassurance

The next case study looks at another dangerous situation that again arises due to the poor design of the Indian mandate. The exemplar for this case study is Vymada 50 mg (manufactured by Novartis), an expensive drug imported from Europe for the treatment of heart failure.

The medicine is contained in blister packs, with two blisters placed inside a carton (Figure 4A). The consumer-facing package is therefore the carton, although blisters can be sold individually as well, which is a common practice in India. The QR code supporting the Indian mandate is printed only on the back of the secondary carton and not the blisters (Figure 4B).

The content of the QR code (Figure 4C) is similar to prior examples where the authentication regime is based on batch number verification, and therefore suffers from the same pitfalls taken up in Case studies 2 and 3 above. Counterfeiters can therefore easily place a replica code on fake packs based on data captured from genuine products in the market. The fake QR code may even appear as a static impression as part of the package artwork, which would give it a far more professional appearance. Regardless of how counterfeiters proceed with their duplication effort, the medicine here is again highly susceptible to the illusion of successful authentication on counterfeit variants.

What stands out in this particular case, however, is the message sent to the consumer, which displays a check mark with the text "Verified Product" (Figure 4D). Whereas the prior exemplars merely provided the drug data upon authentication, as required under the Indian mandate, the scan response here goes a step further to proactively declare that an authentic product has been scanned. That is not a problem with a genuine medicine pack. However, a consumer will receive the exact same message after scanning a counterfeit pack that has been compromised through QR code duplication.

It has been widely held in the brand protection community for more than two decades that a message pushed to the consumer should never outright declare product authenticity for the simple fact that it can lead to false reassurance. There is nothing worse than for a patient to believe that a genuine drug is being consumed when in fact it is not.

Case study 5 — absence of primary package coding

The final case study is illustrative of how the poorly conceived Indian mandate can be used to avoid the most fundamental requirement in any protective programme — to ensure that consumer-facing drug packages are capable of being authenticated. The exemplar for this case study is Augmentin 625 Duo (marketed by GSK), the highest selling medicine in India [20] and also a common target of counterfeiters [21,22].

The medicine is distributed to pharmacies via a secondary polycarton — a package that here contains 10 blister strips with 10 tablets in each (Figure 5A). It is virtually never the case that a patient would purchase a full carton of 100 tablets and therefore the consumer-facing pack is the blister. This exemplar displays both product vulnerabilities covered before — the possibility of false reassurance through a "Verified Product" notice to consumers (Figure 5B) and an authentication protocol based on batch number verification, as confirmed by the QR code content (blue text in figure) having the batch number identifier (/10/). The batch numbers here again follow a sequential format, making it that much easier for counterfeiters to swap numbers from a large range to mimic actual production values.

The most serious problem in this case actually has nothing to do with the QR code or its construction (Figure 5C), but rather that the code is entirely missing from the consumer-facing product — the blister strip (Figure 5D). Thus, a technology meant to reassure consumers is missing from the very item that they only purchase. It is a certainty that few consumers would seek to examine the secondary pack. And that in turns sets up an ideal scenario where counterfeiters can distribute fake blister packs of this product to retail pharmacies with the full knowledge that even the genuine blisters lack any means for consumer verification. The entire QR coding mandate becomes superfluous when consumer drug packages are exempt from protection.

The final point around this case concerns an additional fatal flaw that appears to have gone unrecognized by the Health Ministry. This adversity is best understood by visualizing the following realistic scenario. Imagine that a retailer has received several secondary polycartons from his supplier, each containing a set of 10 blister packs. To protect both his business and customers, the retailer scans each polycarton code (Figure 5C) and is thereafter assured that it is a genuine pack, and by extension so are its contents. The retailer can then sell those medicines without concern for their integrity.

Now, what if those secondary packages were actually counterfeit versions with fake drugs inside? It would be trivial after all to incorporate a copied QR code from a genuine package. The retailer in this case would observe an identical scan outcome as if the secondary packs were really genuine. Counterfeiters can thus use clandestine supply channels to propel their fake medicines because they now have a government-authorized tool at their disposal to deceptively convince downstream traders that their products are indeed authentic. Brand owners that pursue coding only on such secondary polycartons have thus created a perfect storm of opportunity for misleading the retail community to further perpetuate distribution of fake versions of their own products.

Turning the page

The serious flaws described here through five case studies demonstrate how the Indian QR coding programme fails to detect fake medicines with any degree of confidence. In fact, the programme design actually empowers criminals to now become more brazen, which in turn will accelerate the counterfeit drug problem across India because of this programme. The exemplars used in this article to make that case were just that — medicines that are representative of a deep-seated problem that also afflicts the other 300 or so drugs that fall under the same mandate and which undoubtedly suffer from the same programmatic defects.

The most damning feature is that counterfeiters can so easily co-opt the nationally mandated programme to mimic genuine products with negligible chance of detection. It will be the case that fake medicines with copied QR codes are discovered only when they fail to produce the desired therapeutic outcomes. QR codes on fake drug packages would actually be inconsequential to the discovery. A nation that must rely on the chance possibility of counterfeit detection from a medical failure has abdicated the right to claim success of its regulated solution.

So, how did all this happen? For starters, it appears that the Health Ministry developed a plan without adequate forethought of its vulnerabilities or stress tested the different implementation options to meet the required consumer notification goals. The outcome of those failures now qualifies the Indian framework to be one of the worst anti-counterfeiting programmes anywhere. And in that effort, the Indian pharmaceutical industry stood by and allowed this debacle to encompass their products, even though these companies all have product security personnel with claimed expertise. The drug makers could have easily placed additional empowerment layers upon the national programme or fortified their medicines with further options, all of which were allowed. And finally, the various solution providers that executed these programmes for their clients competed against each other to offer the lowest cost option, cutting corners in the process to deliver some of the worst conceivable outcomes.

There is really just one option now moving forward — the current programme must be immediately revoked and replaced with a more effective and enduring framework. Moreover, a stated plan to expand the QR coding programme to cover oncology drugs [23] would be an unimaginable travesty if executed under the circumstances, and therefore must be immediately halted. The sad reality is that a programme that was meant to protect the Indian people has now become a vehicle to empower counterfeiters so that they can proceed with even more brazen acts of fraud [24]. That must not stand.

The question is — who will now rise up for the Indian people? As Nelson Mandela famously said, "It's never too late to do the right thing."

References

[1] https://indianexpress.com/article/cities/kolkata/bengal-chemists-association-flag-47-per-cent-rise-fake-medicines-post-covid-9875371/

[2] https://ddnews.gov.in/en/health-ministry-cracks-down-on-spurious-drugs-major-seizure-in-kolkata/

[3] https://www.thehindu.com/news/national/substandard-indiamade-drugs-in-africa/article6515581.ece

[4] https://pulitzercenter.org/stories/how-who-leaves-poor-countries-exposed-dangerous-indian-drugs

[5] https://egazette.gov.in/WriteReadData/2022/240392.pdf

[6] https://pyrops.com/how-indian-govts-qr-code-mandate-is-revolutionizing-the-pharmaceutical-supply-chain/

[7] https://www.livemint.com/companies/news/drug-packaging-to-sport-qr-code-to-stop-counterfeiting-11655484777794.html

[8] https://www.expresspharma.in/mandatory-qr-codes-on-apis-benefit-or-burden/

[9] https://timesofindia.indiatimes.com/city/kolkata/spurious-meds-worth-over1-crore-in-open-market/articleshow/118460970.cms

[10] https://www.thedailyhints.com/west%20bengal-news/details/542

[11] https://www.securingindustry.com/pharmaceuticals/viewpoint-india-s-serialization-proposal-for-pharma-is-a-bad-idea-here-s-why-/s40/a7889/

[12] https://www.securingindustry.com/pharmaceuticals/viewpoint-the-emerging-barcode-initiative-for-medicines-in-india/s40/a14748/

[13] https://www.securingindustry.com/pharmaceuticals/viewpoint-the-emerging-barcode-initiative-for-medicines-in-india/s40/a14793/

[14] https://www.securingindustry.com/pharmaceuticals/viewpoint-the-emerging-barcode-initiative-for-medicines-in-india-part-3/s40/a14832/

[15] https://indianexpress.com/article/cities/kolkata/bengal-chemists-association-flag-47-per-cent-rise-fake-medicines-post-covid-9875371/

[16] https://www.securingindustry.com/mass-serialization-failing-in-consumer-products-sector/s112/a3127/

[17] https://cdn2.hubspot.net/hubfs/3844090/A%20Gift%20to%20Counterfeiters.pdf

[18] https://www.millenniumpost.in/bengal/amta-spurious-medicines-worth-about-rs-17l-seized-from-godown-599723

[19]https://cdn.standards.iteh.ai/samples/65577/86c49f7b5f92467dbe2035405616d0eb/ISO-IEC-15416-2016.pdf

[20] https://economictimes.indiatimes.com/news/new-updates/gsks-antibiotic-drug-augmentin-is-indias-highest-selling-brand-with-rs-80-crore-monthly-sale/articleshow/118322074.cms?from=mdr

[21] https://medicaldialogues.in/news/industry/pharma/counterfeit-medicines-worth-rs-2-crore-of-augmentin-pan-d-urimax-d-and-others-seized-from-kolkata-warehouse-115362

[22] https://english.mathrubhumi.com/lifestyle/health/counterfeit-drugs-india-pan40-augmentin-1.10228367

[23] https://www.thehindu.com/sci-tech/health/anti-cancer-drugs-may-soon-have-qr-codes-to-prevent-counterfeits-in-the-market/article68721618.ece

[24] https://www.securingindustry.com/pharmaceuticals/seizure-shows-frailties-in-india-s-anti-fake-meds-system/s40/a16865/

Dr Avi Chaudhuri is an acclaimed expert in the field of anti-counterfeiting, working with both governments and the private sector. He founded The Kulinda Consortium, a global alliance of solution providers that focuses on emerging nations to protect their citizens from fake drugs.

Dr Chaudhuri is now engaged in designing anti-counterfeiting programs for several countries across Africa, working closely with senior government officals. The Kulinda program in Tanzania-Zanzibar rolled out in 2024 resulted in the complete elimination of counterfeit medicines within four months of launch for products on which his solution was applied.