India's QR code programme: Part 2 - rating the drug makers

The Indian QR coding programme introduced in 2023 to detect counterfeit medicines will instead now cause great harm due to its flawed design and poor implementation by drug makers, with multinational companies being among the worst offenders.  

India is suddenly facing an onslaught of counterfeit medicines that appear to be everywhere. Both local and national media coverage has been relentless, with near-daily stories of fake drugs appearing across multiple therapeutic areas [1-3]. Although the problem of counterfeit drugs is not new to India, its sudden explosion has caught many by surprise, with growing demands now for the government to immediately confront the problem [4-5].

An effective way to meet that objective could have involved market surveillance and interdiction through QR codes that were mandated by India's Health Ministry to appear on the top 300 drugs [6]. That programme was intended to provide consumers with an effective tool for immediate reassurance at the point of sale. By merely scanning the QR code on the package via a Smartphone, the buyer would immediately obtain key information on the medicine and therefore be assured of its authenticity.

Now that the QR coding programme has been in place for more than 18 months, government inspectors supported by an engaged citizenry could have easily been on the frontlines of tackling the current peril by using that very tool. Instead, the QR programme is beset with claims of outright code duplication, engagement apathy and a dawning realisation that a solution created after years of delay and deliberation is just not fit to deliver on its stated objectives.

The unfolding of a debacle

There are two clear causes of this fiasco, starting with the rollout of a poorly conceived regulatory framework by the Indian Health Ministry. In the first article of this series, I reviewed the government's mandate to show how its many flaws set the stage for exploitation by counterfeiters whereby they can now easily replicate the QR codes to create an illusion of authenticity on fake drugs [7]. In short, the Indian mandate has become a gift to counterfeiters and stands as one of the worst drug security programmes unveiled anywhere. But there is a second and actually bigger perpetrator of this debacle — the Indian drug industry.

For years, the Indian pharmaceutical complex had neglected to put in place worthy solutions that could protect their patients by mitigating counterfeiting attacks against their brands. Although a few drug makers made sporadic efforts, most just accepted the counterfeiting problem as a cost of doing business. The collective mindset was to pass the buck to the government and wait for its proposed solution. And when that came, there was widespread jollity to acquiesce to the mandate [8,9], and for many in the feeblest way possible.

Here, I analyse exactly how the Indian compliance requirement has been met by companies that manufacture those drugs named in the government's top 300 list. The shocking outcome of the scrutiny is that most drug makers, including some of the largest multinational companies in the world, have complied with the mandate in ways that will further enable the counterfeiters and bring immense harm to the Indian people.

Development of a QR risk profile

The drug industry was given wide latitude as to how it deployed the government's mandate so long as the stipulated details about the medicine and its manufacturer appeared on the patient's phone after a QR scan. Drug companies delivered on that requirement through various means, as described in Part 1 of this series through five specific case studies. Each exemplar in that article illustrated a different hazard in the government's mandate. That analysis led to the question of how the drug industry's own culpability to meet the moment can be objectively documented across all the participating companies.

Two key questions drove this analysis — did the way a drug company fulfils its mandatory coding requirement make it more enticing now for counterfeiters to create fake versions of its QR codes? And if that happens, what is the likelihood of catching those fake codes? To address these questions, a QR usability risk index was developed based on six key factors drawn from both printing and digital considerations, as shown in Figure 1. Each factor is associated with low- and high-risk outcomes based on how it was executed, as described next.

Pack level — QR codes appearing on a consumer-facing unit (CU) — i.e., the thing that people actually buy — provides much lower risk against duplication by counterfeiters due to the greater effort needed compared to those codes that appear only on tradable units (TU), such as secondary cartons that contain multiple CUs. Different types of barcoded CUs are shown in Figure 2, which can be downloaded from the online portal accompanying this article [10].

QR content — The Indian mandate requires certain drug details to be sent to the consumer's phone after scanning. A unique serial number embedded in each QR code can be used to recover that data from the backend. Another approach is to replace the serial number with the batch number for that product in the QR code. This is a high-risk protocol, however, as explained in Part 1 of this article series. Figure 3, which is available at the online portal [10], provides an illustrative explanation of why batch number-based QR coding represents the highest threat level to consumers.

Code readability — The third factor for assessing QR threat is its print quality, which in turn determines scan readability. Figure 4, available at the online portal [10], shows several blisters with varying print quality. Drug packages with poor code readability have greater risk because counterfeit versions cannot be properly differentiated in the market from genuine ones. Whereas the first two factors were binary in nature, e.g., the QR code was either on a CU or TU, code readability could be on a quality continuum depending on the company's printing approach and placement decision.

Digital factors — Whereas the prior three factors were all related to printing considerations, i.e., code location, content and quality, the next three all fall within the digital domain. The way each digital factor is executed in turn can impact the threat presented by the QR code. For example, an unrestricted number of allowable scans will significantly elevate risk because duplicate codes on fake products will continue to generate successful outcomes as the same code continues to be misused in the market. This consideration applies only to serial number-based codes because the benefit of unique digitisation is lost with batch number-based codes, which can be authenticated an unlimited number of times.

Similarly, the way the serial number is constructed has significant impact. Drug companies that use a sophisticated encrypted engine will deliver high-security serial numbers that resist compromise through predictability compared to those using a simple and primitive number generator. It will be shown later that some drug makers have adopted extremely weak serial number constructs that are very easily compromised, leading to the possibility of the entire programme being hijacked by counterfeiters.

And finally, the responsiveness of the site is critically important. As will be shown in a later section that rates the drug companies individually, some QR codes are either entirely unresponsive, extremely slow or even provide a marketing message first rather than the authentication result. All of these factors together elevate the threat level and help counterfeiters. The more sluggish the authentication result, the more likely it is that the programme will be compromised because of elevated public apathy in interacting with that product.

Assessment matrix | QR code usability risk

The six risk factors outlined in Figure 1 were then assembled to generate QR code usability threat profiles, which in turn were used to evaluate the drug companies. The matrix shown in Figure 5 uses the six risk factors to place each programme into one of four threat categories — low, moderate, high and extreme.

A QR programme that presents low risk among all six factors is determined to have a low QR usability threat (Category 1). In other words, the programme follows best practices in structuring the code's content, print location and quality, along with a strong set of digital factors. On the other hand, a drug company that has deployed a batch number-based QR programme, either on the consumer-facing unit or more likely the tradable unit, represents extreme threat (Level 4), irrespective of how it fares on any of the other risk factors. The two other threat categories — moderate and high — are those programmes based only on serial-numbered QR codes but with higher risk presentations in the other factors.

Rating the drug makers

The Indian Health Ministry required a total of 52 drug makers and marketers, collectively the Market Authorisation Holder (MAH), to comply with the QR coding requirement. This study analysed codes belonging to 47 of those companies; five companies appear to produce niche drugs that are largely available through special order (Bharat Serums, Biochem, Hetero, Natco, and Roche). The products of four companies — Eli Lilly, Franco Indian, Geno and Medley — were not compliant with the Indian mandate for various reasons.

The threat category that was derived for each company is predictive of the danger its QR programme represents to patients with regard to two core questions: 1) did the company make it easier for counterfeiters to create replicas of their QR codes on fake medicines; and 2) what is the likelihood of catching the fake product through its duplicated code, either by consumers or inspectors?

A full sortable database of the company ratings accompanied by their threat justifications can be downloaded from the online portal [10]. An overview of the findings in each threat category with some notable observations is given next.

Category 1 | Low threat programmes

Among the 47 companies, only three QR programmes (~6 per cent) displayed a low threat level, as shown in Table 1. These drug makers developed their programme based on industry best practices, in particular by using serial number-based QR codes and applying them on consumer-facing units, which were blister packs in all cases.

There are however three caveats to the otherwise good news for these companies. The first is related to a warning sent to consumers and asking them to notify the company if the same drug package is authenticated multiple times, which could happen if the code is compromised. Glenmark unfortunately removes the warning after a day, which is a serious oversight. As for Abbott and Sun Pharma, both also allow patients to reach out to the company after a multiple-authentication warning is issued. However, there was complete silence when this outreach feature was tested, thus missing out on an excellent opportunity to gather actionable intelligence on a possible counterfeiting threat.

The second caveat is that all three companies provide a check mark or an overt statement that the tested product is genuine. This is widely considered to be an elementary security loophole because consumers would receive false assurance in the event a copied QR code on a counterfeit product is being checked.

The third caveat is that having a low threat rating does not necessarily mean that the company is immune to being attacked by counterfeiters. In fact, the same Glenmark product shown in Table 1 was targeted in a recent episode where fake versions of it contained replica QR codes [11]. Counterfeit versions of the same Abbott and Sun Pharma products shown in Table 1 have also been recently found [12], though these did not yet have any QR codes because they predated the compliance start date.

Category 2 | Moderate threat programmes

Among the 47 companies assessed, twelve QR programmes (~25 per cent) displayed a moderate threat level, as shown in Table 2. All products in this category had to display the two safe attributes of having serial number-based codes along with their appearance on consumer-facing units. However, in all cases consumers were allowed unlimited authentications — i.e., the code is not frozen, a warning is not issued and a notification is not sent to the consumer to obtain any information on the product, as above in Category 1.

The allowance of unlimited authentications of a QR code is a serious security flaw because copied codes placed on counterfeit variants would continue to provide false reassurance to patients. The threat assessment matrix in Figure 5 therefore places these products in the moderate risk category.

Category 3 | High threat programmes

Among the 47 companies assessed, eleven QR programmes (~22 per cent) displayed a high threat level, as shown in Table 3. In all cases, the products have serial numbered QR codes placed on consumer-facing units, with the exception of the vial and Rondo tray for Bett 0.5 ml injection (made by Biological E).

The reason why these products were elevated to Level 3 (high threat) category is that they showed at least two risk factors from the threat matrix (Figure 5), and sometimes three. The case-by-case details of the various risk assignments can be found in the full rating database in the online portal for this article [10].

A few observations are however noteworthy. Several products required a long wait after scanning before the result was loaded. This adversity not only diminishes consumer enthusiasm to interact with the product but also allows counterfeiters to capitalise on that weakness. In the case of one product (Cyra D by Synoptic), the response was slowed down by a marketing message that first appears on the screen from the solution provider (Veritech) to that programme, showing an unserious approach to an important consumer safety objective.

The main risk factor observed in this threat category arises from a rather technical aspect of the solution — the unique serial number in the QR code. Serial numbers have long been used in anti-counterfeiting programmes and thus much has been learned about how they should be constructed. Five companies (AbbVie, Alkem, Lupin, Sanofi and Zydus) all appear to have worked with a solution provider that opted to use very short serial numbers. The problem here is it then becomes very easy to swap a letter or digit to generate a new serial number that will actually pass verification. Counterfeiters can then have a field day because it becomes easy for them to hijack the entire security programme.

Category 4 | Extreme threat programmes

The final category represents the highest threat level, with 17 companies (~36 per cent) that form the largest cohort among the four threat groups; see Table 4. As will be clear from the risk profiles of these companies, the manner in which they chose to roll out their QR coding programme creates an unparalleled threat to their brands and more importantly to the safety of the Indian people.

Three companies — Alembic, Fresenius Kabi and Ipca — deployed QR codes without a link to a backend database. Instead, these companies opted to embed the entirety of the dataset mandated by the Health Ministry into the QR code itself. Thus all packages for that product had an identical QR code with very high information content, which in turn made it difficult to scan with older Smartphones due to the high data density. The greater danger here is that it becomes a trivial exercise to replicate the QR code and place that onto a fake package because it is nothing but a static construct that can be incorporated into the artwork. The Alembic product represents a particularly egregious example of this approach and is taken up as a separate case study; see Figure 6, available through the online portal [10].

Two companies — Dr. Reddy's and MSD — also incorporated a static QR code into their package artwork, though their versions had a link to a server. After scanning, a window appears where the consumer must manually enter the batch number found on the drug package. The data related to the product and its manufacturer is then pushed to the phone. Here too it is a trivial exercise to place an exact copy of the static QR code on a fake package, with the only requirement being that a valid batch number must also appear somewhere on the drug package as an overprint. The MSD approach was taken up as a case study in Part 1 of this article series [7], though the same exact adversities also apply to medicines from Dr. Reddy's, placing them both in the highest threat group.

The biggest reason why so many drug makers show up in Category 4 is because they all opted for the shortcut of deploying a batch number-based QR coding programme. This approach provides a much simpler way of delivering the mandatory data to consumers without the more arduous task of assigning a unique digital number to each pack. Instead, the batch number associated with thousands of packages from a particular production run can be used to obtain the same details and push that to the consumer.

The danger of this approach was extensively discussed in Part 1 of this article series, and is also illustrated in Figure 3 (available on the online portal). In short, the probability of detecting a fake product under a batch number lookup system is negligible because of the many packages clubbed under it. It is fundamentally unknowable to the drug company whether multiple successful authentications arise due to the same QR code appearing on many fake packs or whether many different customers are authenticating its genuine packs from that same batch.

It is therefore simply not possible to discover a fake medicine through batch number-based QR code construction, thereby endowing these products with the highest threat level. What makes the situation even worse is that most of the drug makers have decided to print their QR codes only on tradable package units. A corrupt trader can then easily place a duplicate QR code on a fake secondary carton, convince a pharmacist that his products are genuine by verifying the copied QR code and thereafter find an unobstructed path to seeding the market with fake uncoded blisters or strips contained inside that secondary carton. This extremely dangerous possibility was described through a case study involving GSK's Augmentin 625 Duo medicine in Part 1 of this article series [7].

Wall of shame

There are two companies that deserve separate discussion because of the atrocious way they have deployed their QR coding programme in order to comply with the Indian mandate. The two companies are shaded gray in Table 4.

Novo Nordisk — This Danish company is a world leader in the area of diabetes care. Several of its products are imported in India and fall under the Health Ministry's top 300 list, thereby requiring mandatory QR coding. The way this company has chosen to implement the programme provides a textbook example of taking a dodgy minimalist approach, which can be seen with Ryzodeg Penfill as an exemplar and described further in Figure 7 in the online portal [10].

The Ryzodeg secondary carton contains several insulin Penfills. The QR code can be found on the carton's back surface where it appears as a very crisp, high-contrast component of the artwork. This is because the QR code is a static construct that does not change from package to package. Scanning the code makes a PDF file appear on the Smartphone, which contains the mandatory information about the product followed by a table of valid batch numbers, manufacturing and expiry dates. Thus the company is transferring responsibility for product verification by having patients undertake the exercise of comparing the data on the screen with printed matter on the package.

The real atrocity here is that Novo Nordisk has made it so easy to create package replicas filled with fake medicines. A copy of an original barcode just needs to be printed on a fake carton with the additional step that the batch details appearing by way of an overprint on one of the flaps should conform to any of the rows in the PDF file.

There is no possibility that the QR code on an imported Novo Nordisk product such as Ryzodeg will therefore help to identify any fake versions in the market. Counterfeit detection will instead have to come from an adverse medical event in the patient after taking the drug. Novo Nordisk products that are packaged in India by a contracted third party, such as Torrent, however do show a somewhat different coding approach. But here too those QR codes, like all other Torrent products, fall under the Category 4 threat group.

The fact that diabetic patients in India who rely on Novo Nordisk products for life-saving care should be exposed to such harm from a counterfeit product that the company has made so difficult to detect is simply unconscionable, especially when it is well aware of the coordinated global effort targeting its diabetes product line [13] and when it had previously issued public warnings itself [14].

Pfizer — The second drug maker to fall in this dishonourable group is American pharmaceutical giant Pfizer, which has an impressive fourteen products in the top 300 list. Although they all display troubling aspects in terms of programme adoption, it is their imported anti-thrombosis drug Eliquis that really stands out. Figure 8, available on the online portal for this article, provides an illustrative account of the problem with this drug package.

The code, which appears on the front surface of the secondary carton, is not a QR code but rather a DataMatrix barcode. This symbology is used in pharmaceutical traceability operations and not meant for consumer engagement. In fact, native software in Smartphones will not detect this type of barcode, which therefore means that the central purpose of the Indian mandate to empower consumers is not being fulfilled. Furthermore, the data retrieval protocol with Pfizer's DataMatrix code is based on batch number lookup, which suffers from all the problems associated with this method already discussed.

The adversity faced by consumers purchasing this life-saving drug led to the question of how Pfizer has managed its operations on other products that require mandatory coding. Although Eliquis is imported from Germany, the other medicines on the government's list are manufactured or packaged in India, and therefore it could be expected that Pfizer's Indian division would be more diligent in its compliance approach.

That expectation was not met. All Pfizer blister and strip products that were examined (e.g., Becosules, Dolonex, Wysolone, etc.) did not show a QR code, even though similar package types from other drug makers were able to place a suitably readable code on their products (e.g., see Figure 2 on the online portal). The only Pfizer consumer-facing units that displayed a QR code were its bottled medicines (e.g., Corex DX, Gelusil MPS, etc.). In all cases however, the QR code was constructed only around a batch-numbered scheme. It is for this reason that all Pfizer products in India join Eliquis to find themselves in the extreme (Category 4) threat group.

Pfizer India has a long and storied history in the country, and in fact was one of the very first companies to endow its life-saving drug Magnex Forte with serialised numbering as part of an anti-counterfeiting effort nearly fifteen years ago. Its American parent was the first drug maker to start a package serialisation programme long before that became a regulatory requirement in the United States and elsewhere. The company even experimented with innovative anti-counterfeiting technologies such as RFID [15].

Pfizer's corporate history therefore attests to its dedicated resolve in combating attacks on its brands and protecting its customers. It is therefore troubling to see how the current management at Pfizer India has handled its rollout of the Indian barcoding programme through a facile approach that now creates a golden opportunity for counterfeiters to harm its patients.

Synthesis

Part 1 of this article series took a critical look at India's regulatory mandate, which requires placing a QR barcode on the top 300 medicines. I concluded that even though the Indian mandate was developed with all good intentions, its flawed design exposed the public to even greater threats because of the ease with which counterfeiters can place replica QR codes on fake products. The greater concern that emerged is that neither consumers nor inspectors could use the barcode to differentiate a fake from a genuine drug.

So that was the problem with the programme design, and for that the Health Ministry can certainly be faulted. But then it turned out that the Indian drug industry by and large deployed the QR programme in ways that further enabled counterfeiters to actually make it easier for them to defeat the very tool that was meant to protect the masses. In this Part 2 of the series, I provide an objective and unvarnished assessment of drug makers by assigning them to one of four threat categories based on their coding approach — and perhaps even a fifth small category taken up at the end.

The most blatant hazard was so common that it was found pretty much across the board. In nearly all cases, the drug company issued an explicit notice to the patient that the scanned drug is genuine, sort of as a certificate of authenticity. But what happens when a consumer receives that same certificate after scanning a copied QR code on a fake drug? The illusion of authenticity and the false reassurance associated with it in such cases shows how drug makers (or their appointed solution providers) developed their coding programme in a most amateurish manner.

The road ahead

I end on a personal note. This was a painful article to write, especially in having to candidly expose the various drug companies that have rolled out such perilous coding programmes. It is unfathomable that the highly worthy goal of ensuring public safety through all good intentions can produce such an ignominious result. All individuals involved in creating this outcome however are professionals, whether government officials, anti-counterfeiting specialists or industry executives. Their collective actions, oversights and neglect have now enabled counterfeiters to bring serious harm to the people of India.

One immediate way to reduce that harm is for medical practitioners across India to take into account where possible the drug company threat profiles presented here when making their prescribing decisions, and for honest retail pharmacists to be especially vigilant and not take the mere presence of a QR code as confirmation of drug authenticity. Companies whose QR-coded products fell into a high threat group, especially those in Category 4, have the highest vulnerability to a counterfeiting attack and a low to nil possibility of detection without an adverse medical outcome in their patient.

The only viable long-term solution, however, is for the current coding mandate to be extensively revised and replaced with a more robust and effective programme. In the next article in this series, I will examine how the Indian drug industry can extricate itself from this mess in the short term and how the Indian government can reform its mandate to produce an effective and enduring replacement.

Acknowledgement

I am grateful to The Pharmacy, Tollygunge Circular Road, Kolkata, and in particular Mr. Sanjay Majumder and Mr. Basudev Majumder. The research findings showcased here could not have been assembled without their help and cooperation.

References

[1]      https://timesofindia.indiatimes.com/city/kolkata/34l-spurious-meds-seized-in-titagarh/articleshow/119352917.cms

[2]      https://timesofindia.indiatimes.com/city/kolkata/seizure-of-fake-human-albumin-ampules-rings-alarm-bells/articleshow/119486385.cms

[3]      https://www.newindianexpress.com/cities/delhi/2025/Mar/29/counterfeit-anti-rabies-vaccine-circulating-in-major-indian-cities-warns-delhi-drugs-control-department

[4}      https://www.millenniumpost.in/bengal/chemists-association-raises-alarm-over-rising-fake-drugs-calls-for-urgent-action-601540

[5]      https://timesofindia.indiatimes.com/blogs/voices/counterfeit-drugs-a-major-public-health-threat/

[6]      https://egazette.gov.in/WriteReadData/2022/240392.pdf

[7]      https://www.securingindustry.com/pharmaceuticals/india-s-drug-qr-coding-programme-anatomy-of-a-debacle/s40/a16877/

[8]      https://www.indiaoppi.com/wp-content/uploads/2023/07/HBL-Drugmakers_step_on_it_to_meet_August1deadline_to_sport_bar_QR_codes.pdf

[9]      https://www.business-standard.com/industry/news/pharma-companies-on-track-with-qr-codes-to-combat-counterfeit-drugs-124071700793_1.html

[10]    https://app.box.com/s/eam2cnnyo7v1ieyxz8opdsw7fgr3yrro

[11]    https://indianexpress.com/article/cities/kolkata/bengal-chemists-association-flag-47-per-cent-rise-fake-medicines-post-covid-9875371/

[12]    https://www.pharmabiz.com/NewsDetails.aspx?aid=177051&sid=1

[13]    https://www.who.int/news/item/20-06-2024-who-issues-warning-on-falsified-medicines-used-for-diabetes-treatment-and-weight-loss

[14]    https://www.novonordisk-us.com/media/news-archive/news-details.html?id=166119

[15]    https://www.biospace.com/pfizer-inc-introduces-radio-frequency-identification-technology-to-combat-counterfeiting-protect-patient-health

Dr Avi Chaudhuri is an acclaimed expert in the field of anti-counterfeiting, working with both governments and the private sector. He founded The Kulinda Consortium, a global alliance of solution providers that focuses on emerging nations to protect their citizens from fake drugs.

Dr Chaudhuri is now engaged in designing anti-counterfeiting programmes for several countries across Africa, working closely with senior government officals. The Kulinda programme in Tanzania-Zanzibar rolled out in 2024 resulted in the complete elimination of counterfeit medicines within four months of launch for products on which his solution was applied.