I have been a GDP inspector for a number of years and undertake a significant number of inspections where MHRA has reason to suspect that significant breaches of The Human Medicines Regulations and EU GDP have occurred. This includes working closely with Enforcement colleagues, where evidence may need to be gathered or allegations of suspected criminal activity may require further regulatory investigation.
Tony Orme (Lead Senior Inspector, GDP) has written previous posts about the importance of ensuring goods are procured from and supplied to authorised persons. MHRA continues to note concerted efforts to falsely obtain stock by some parties from suppliers, and has undertaken targeted inspections of supply chain integrity, resulting in cases of regulatory and enforcement action. Further emerging trends have been observed by MHRA around criminal attempts to sell falsified and stolen stock into the legitimate supply chain by a variety of methods. This creates the prospect of patients being supplied with substandard medicines, by way of gaps in the qualification processes of suppliers.
Several recent cases have exposed weaknesses in some supplier qualification processes, with individuals stealing the identity of legitimate companies and purporting to be someone they are not. In this instance, validation via EudraGMDP and Competent Authority sources would not detect a fraudulent supplier. A typical instance may include persons setting up cloned e-mail addresses, not dissimilar to phishing scams, where domain names may be similar but incorrect: such as changing .com to .net, adding hyphenation within addresses or using small spelling mistakes to deceive. In some instances, persons have been seen to use popular e-mail systems such as Gmail, Yahoo and Hotmail, while purporting to be from a company which does not utilise these. There have been further examples of fake websites created in order to mimic legitimate companies, with the intent to deceive prospective businesses into purchasing from them. Obtaining a licence and checking on EudraGMDP may not be enough in these instances to protect licensed entities from fraudulent approaches.
We have also recently seen instances of companies’ wholesale dealer licences being purchased outright and new directors and personnel appointed. Such cases are hard to spot as the licence details do not change. Here the newly purchased company supplies falsified medicines to customers who do not notice that contact details have changed or that the company is now offering product types not previously seen. The people behind these companies disappear when discovered and every product they supplied is then treated as falsified as no history can be established as to the original source of the products.
So, what can you do to protect yourself?
First, when conducting due diligence checks, a company should never rely on information solely provided by the supplier. You should consider:
- conducting independent research into the company, by way of review of wider official sources of information, such as Companies House records
- ensuring details provided by an organisation match online presence
- calling numbers or testing contact details obtained independently
- validating bank details in line with your expectations from experience
- ensuring internal training programmes encompass departments which may be approached outside of your direct knowledge, such as finance, and equip staff with mechanisms to report changes to supplier or customer details you may not be aware of
- what processes and assessments you have in place to confidently establish the identity of a prospective supplier
- the types, volumes and prices of products being offered and usual availability as a potential risk
- if your risk management processes minimise the prospect of falsified medicines entering the supply chain
- when re-qualifying suppliers, consider if any significant changes in directorship or ownership have occurred
- how staff and management can be confident that replies are only sent to approved and valid e-mail addresses
- how reporting mechanisms from goods in processes generate deviations and integrate into the quality management system
- how new contact details are reviewed by your company
MHRA recognises that determined efforts by unauthorised persons or criminals can be convincing. Nonetheless, there is an expectation that licence holders have appropriate systems to safeguard the supply chain. This may include ensuring detailed records of collection and delivery activities are made, to assure yourself that individuals involved in your supply chain at every step are who they say they are. Further, do you have this documented and risk assessed? Is there clear visibility of transport arrangements, and are these documented and transparent? These documents and records may be requested by MHRA in the event of suspected supply chain breaches being identified.
Further instances of falsified GDP certificates and wholesale dealer authorisations are still being observed throughout the EEA supply chain. Companies are reminded that they have an obligation to assess the legitimacy of documentation obtained, by independently validating supplier and customer credentials. However, whilst measures to assist with supplier qualification are in place within the EEA - such as EudraGMDP - simply obtaining documentation may not be enough and extra steps should be taken to provide assurances of supplier bona fides.
Recently, MHRA has become aware of a company claiming to be a wholesale dealer from Hungary who had attempted to enter a supplier relationship with a UK organisation. The UK company had taken steps to assess the legitimacy of the Hungarian organisation and it had been confirmed by the National Institute of Pharmacy & Nutrition Hungary (OGYÉI) that the company held neither a WDA(H) nor any other licence to distribute medicines, and all supporting documents - such as chamber of commerce certification - were also falsified.
There are several other tell-tale signs within this document indicating that this is falsified. These include logos, branding and spelling mistakes. These details should be considered when reviewing documentation.
As a final thought, a recent attempt to introduce falsified medicines into the legitimate supply chain has been brought to the attention of MHRA. Specifically, an unlicensed company has attempted to supply Iclusig 15mg (BN: 25A19E09) and Iclusig 45mg (BN: PR072875) in both English and German language packaging into EEA markets. Although Iclusig is a UK licensed product, the product is suspected of being falsified and there have been instances reported of falsified batches containing no active pharmaceutical ingredient (API). There are concerns that individuals are attempting to supply these products into multiple markets and, as always, companies must remain diligent regarding their supply chains.
Data request by MHRA
Please ensure that you are regularly checking your messages, including your spam folder: MHRA sent out an email request on 18 April for information regarding procurement and supply for holders of licences including 3.1.2, Narcotic and Psychotropic products in order to support our efforts to protect the public and the supply chain. A response is required by 17 May 2019 and, as this blog post is published, 250 companies are still to reply.
To clarify what was on the original request for Codeine products, we require data on just Codeine Phosphate tablets 15mg, 30mg or 60mg.
For Tramadol, just Tramadol Hydrochloride, tablets or capsules. No return is required for any mixed API products.
A big thank you to the companies providing this data as it allows us to look across the whole supply chain and gives us invaluable data in spotting suspicious transactions.
To close, companies should remain vigilant and be aware that criminals will actively probe for weaknesses within the supply chain in order to make money. As a result, pharmaceutical companies are at risk of exploitation.
If you have any concerns regarding any transactions or individuals you have dealt/are dealing with, please notify the Inspectorate via firstname.lastname@example.org and GDP.Inspectorate@mhra.gov.uk, or your last inspector, for further consideration. Further, any concerns or uncertainties can be reported to CaseReferrals@mhra.gov.uk or email@example.com in confidence.
Don’t miss the next post, sign up to be notified by email when a new post comes out