An almost perfect $111,756.58 crime
We very nearly got conned out of $111,000 worth of drug product by what I assume was the actual mafia. I offer thoughts on how to stop this from happening ever again.
As if dealing with organizations that FEEL like organized crime wasn’t enough, today we got hit by actual organized crime. Here’s the story.
At about 1:58 AM this morning, someone called Cardinal Health customer service, impersonating our Pharmacist-in-Charge. They gave all of the right information over the phone to convince customer service that they were in fact our PIC. They placed an order for 67 bottles of Eliquis 60 count and 47 bottles of Xarelto 90 count. The total amount for the product was $111,927.57, which is… quite a large order.
To Cardinal’s credit, someone or something in their system flagged this as a suspicious order, and they did not ship the order this morning. This morning at about 10 AM, we received a call at the pharmacy from Cardinal customer service asking to confirm the order. They deleted the pending order from their systems. I spoke to our account manager, who spoke to multiple departments at Cardinal to ensure that we won’t be targeted again. Apparently this type of scam has been going on at pharmacies in various parts of the country for at least 6 months, and Cardinal’s security team appears to be doing their jobs.
From what I’ve understood, this is how this scam works:
1) The conmen call the pharmacy impersonating the state board of pharmacy, a wholesaler employee, the DEA, or another similar entity of authority. They ask a number of questions of the pharmacy staff to be able to bypass the regular controls that wholesalers have on placing orders – asking for sign in credentials to the wholesaler’s website, pharmacy account numbers, the name of the pharmacist-in-charge, license numbers, and similar types of identifying information. Pharmacy staff will generally give the information over the phone, thinking little of it. They will also call the pharmacy asking when the wholesaler orders generally arrive.
2) some time later, the conmen will call the wholesaler, or will sign into the wholesaler’s web portal using the pharmacy’s sign in credentials. They will place an order for an exceptionally large quantity of drug product, generally brand name items, and generally legend drugs, because controlled substances have additional checks in the wholesalers’ systems to flag suspicious orders.
3) The order will arrive at the pharmacy, causing quite some confusion among the staff.
4) The conmen will arrive at the pharmacy, posing as wholesaler employees, stating that they will take the “mistaken shipment” back to the warehouse. They then take possession of a large amount of drug product.
5) The conmen fence their product into the so-called “gray market” for prescription drugs. Some subset of secondary wholesalers and pharmacies are always looking to purchase branded medications at a discount, and will purchase the product from the conmen.
6) profit.
That’s the scheme. It’s a very clever confidence game, and has apparently worked pretty well, given that it has spread to multiple states now. I have some thoughts about potential solutions to this issue:
1) Wholesaler websites have frankly terrible security policies for the most part. I can’t sign into Facebook without using 2-factor authentication. Most wholesaler websites don’t require password changes very often or ever. To my knowledge, none of the major wholesaler sites require 2FA to sign in, though strangely Cardinal’s wholly-owned secondary supplier, Parmed, DOES require 2FA. Implementing 2FA or password change policies would help with one part of this – the obtaining of pharmacy login accounts, but would not help with the phoned in orders.
2) Wholesalers should implement 2FA systems for exceptionally large orders – a code sent to the owner’s email or cell phone to verify that the pharmacy does in fact wish to place an order that is outside of the size of 99% of the pharmacy’s orders would probably stop this scam in its tracks. When I want to make large financial transactions in my personal life, I have to provide 2FA all the time.
3) Pharmacy staff should be aware that wholesalers do NOT just send people to pick up orders shipped in error. When this happens to you, you put in a return authorization like any other return. You follow the regular returns process. You send the product back to your wholesaler the same way as any other order.
4) Pharmacies shouldn’t give out usernames or passwords or account numbers over the phone to random people calling. If they’re really calling you, they already know your account details.
5) Pharmacy owners and managers should be aware that large discounts off of WAC on branded drug product do NOT exist in the regular marketplace. Legitimate wholesalers sell branded drug products at a price of ~WAC minus 0-6%, and the upper range of discounts is contingent on purchasing large quantities of generic products. If someone outside of a 340b contract arrangement is offering to sell you product at WAC minus 12% or minus 20%, make sure you know precisely who you are doing business with. Check their credentials. Check their NABP Accredited Drug Distributor status. They’re almost certainly fencing stolen or counterfeit medication.
6) PBMs and purchasers need to STOP with the insanity of AWP discounts. The median pharmacy purchases products at WAC minus 4%, or AWP minus 20% according to the NADAC equivalency metrics published by Myers and Stauffer and CMS. Offering contract terms more aggressive than AWP minus 20% plus a $10 dispense fee is ensuring that your network pharmacies are either a) losing money on every dispensing of brands and going out of business or b) purchasing counterfeit or stolen medication or c) refusing to dispense branded medications. Offering a reimbursement of AWP minus a 31.3% discount plus $0.00 dispense fee as an automatic opt-in amendment is a predatory tactic and in bad faith. AWP discount logic, as well as discount escalators need to be made illegal. Branded medications don’t get deeper cost of goods discounts every year just because PBMs want to offer bigger discounts to their clients. Contracts should reflect this reality. Unfortunately, with 3 PBMs controlling ~80% of the market for pharmacy benefits, their choices to abuse pharmacies are effectively at the point of a gun. (you don’t want to lose 35% of your business, do you? Accept these terms, it’ll be fine!)
Anyway, hopefully this rambling into the void about our pharmacy’s near-miss misfortune will change things in a way that breaks this actual crime ring’s scam.
No mention here of having the police or sheriff give the conmen a ride to jail? (DEA should do it, but they're worthless; just part of the Pharma ripoff scam.)
This isn’t just limited to pharmacies. Wholesalers of all levels have been victims of this type of scam —but on much larger orders.
A good policy is to ensure all employee funnel official calls / visits to a trusted manager that is a somewhat of a sceptic. This has prevented numerous phishing expositions in my pharmacy with the only side effect being a few extra calls I have to field. We have been targeted several times to date. It appears to go in spurts
Oh, and by the way — if you willingly hand over the drug to the scammers you are a lot less likely to be covered by your insurance.