India’s Drug QR Code Expansion Plan Draws Criticism Over Security Gaps

According to the document, the current system has already been compromised within months of launch.

The Union Health Ministry’s proposal to expand India’s mandatory QR barcoding program to critical drug categories such as vaccines, anti-infectives, and anti-cancer medicines has drawn sharp criticism from experts over alleged security lapses.

In detailed feedback to Notification 757 (E), retired Canadian scientist and Overseas Citizen of India, Dr. Avijit Chaudhuri, who helped introduce serialization to Indian pharma in 2007, described the current system as “fundamentally flawed” and warned that its expansion “would be far worse for public safety.”

Dr. Chaudhuri argued that the ongoing program “is not an effective product security tool but rather a vehicle to empower counterfeiters.” He said the government’s choice of an open QR code format allows a link to serve as the verification gateway, which is “typically used for marketing purposes” and “extremely vulnerable to multiple attack vectors.”

Citing warnings from US federal agencies such as the FBI and FTC, he said, “There are no product security programs anywhere, much less one to stop counterfeit drugs that are based on open QR codes.” He added that closed systems requiring dedicated readers or mobile apps, like UNICEF’s TRVST system, are considered more secure.

According to the document, the current system has already been compromised within months of launch. Fake QR codes were discovered on counterfeit drugs for hypertension, diabetes, blood clotting, vertigo, and epilepsy. One of the most serious cases involved Sun Pharma’s epilepsy drug Levipil, where criminals used genuine serial numbers on fake versions. Dr. Chaudhuri said drug companies “have provided no guidance on what actions to take when their QR program has been compromised.”

He warned that the illusion of authenticity poses a grave risk to patients. “Despite the Levipil counterfeiting being known for months, scanning the QR code on a fake package still returns the declarative statement, ‘This is a Genuine Pack,’” he said, calling it “a stunning level of incompetence (or indifference)” by the drug maker.

The critique also highlighted regulatory flaws, such as the lack of a mandatory unique serial number, with over one-third of manufacturers using less secure batch codes. Many products, including the widely sold Augmentin Duo, have QR codes only on secondary packaging, leaving primary blister strips unverified and vulnerable to counterfeiting.

Dr. Chaudhuri cautioned that expanding the flawed platform could “harm virtually every stakeholder,” from SMEs struggling with compliance costs to pharmacists, doctors, and nurses exposed to professional risks if fake QR-authenticated medicines cause harm.

He urged the government to overhaul or replace the system with an “effective, enduring, and economical solution” that eliminates discrimination against SMEs, concluding with a firm warning that the current failure “must not stand.”

Stay tuned for more such updates on Digital Health News