The DEA informed community pharmacists on e-prescribing fraud and measures necessary to detect it.
In January 2024, a 21-year-old man from Florida was arrested for operating an online prescription drug scam, committing e-prescription fraud, and illegally selling controlled substances. In just a 5-hour span, he sent out around 18,500 prescriptions to 18 different states, Anne T. Donnelly, Nassau County District Attorney, told AP News.1
State governments first started enacting mandates that allowed for the electronic prescribing of controlled substances (EPCS) in 2010. By 2015, all 50 states legalized EPCS to curb written prescription fraud, over-prescribing, and misuse of medications such as opioids.2
Although researchers once described e-prescribing as a way to “substantially reduce the scope for fraud,”2 bad actors targeting the pharmaceutical industry have evolved and moved their activities to the internet.
During a webinar co-sponsored by the American Pharmacists Association and the National Community Pharmacists Association, Erin Hager, Diversion Investigator with the Drug Enforcement Administration (DEA), presented her team’s findings on e-prescribing fraud, how it’s done, and what pharmacists can do to avoid it.
“Over the last few years, what we thought was going to be our savior has now become our curse,” Hager said.3
Bad actors targeting the pharmaceutical industry have evolved and moved their activities to the internet. | image credit: LIGHTFIELD STUDIOS / stock.adobe.com
In a step-by-step walkthrough, Hager broke down the process of e-prescribing fraud, which starts with the stealing of a health care provider’s identity. “What’s happening is a [provider’s] identity is being stolen, and usually this is occurring through dark web means,” Hager continued. These thefts are similar to those committed by bad actors who steal other personal information, such as credit cards, health care data, or even gym memberships—except these individuals on the dark web are gaining access to prescription drugs.3
Once the provider’s identity is stolen, individuals operating on the dark web will then move to electronic health records (EHRs). Since EHR access is designed solely for the use of health care providers and their individual patients, dark web operators can maneuver through them unscathed without raising many red flags if they can utilize a provider’s identity successfully.3
Once illegal EHR access is established, there’s just one more step in the process before prescriptions are sent out to pharmacies across the nation. Prescriptions are created and sent to a company with software that allows the mass distribution of prescriptions to pharmacies. The example Hager used in her presentation was Surescripts.3
“Surescripts is a health information network that facilitates a safe and secure exchange of patient information between stakeholders such as [EHR vendors, health systems, providers, payers, pharmacy benefit managers, and pharmacies]. This digital highway ensures that patient information flows seamlessly and improves the quality of healthcare services,” according to the full-service technology company Pure Logics.4
Hager added that once records are entered into an EHR and sent to a company like Surescripts, prescriptions are then translated and sent to pharmacies across the nation, with little to no security measures because the technology is operating as if the prescriptions came from a certified doctor.3
And finally, once a prescription is filled at the pharmacy—barring any red flags that a pharmacy may notice, which is usually not the case with EHR prescriptions—the bad actors then send individuals to pick up the prescriptions at each pharmacy.3
At the end of the process, dark web users are creating a fake identity and sending prescriptions through a lengthy but proven process allowing for the chance of increased profits than if that same individual illegally sold the prescription on the street.
“You have the unique ability of being the gatekeepers of the drugs themselves. It’s up to you whether or not that drug walks out the door or not,” said Hager to webinar attendees.3
While she was sure to shine light on community pharmacists’ busy schedules, Hager emphasized their role in flagging down fraudulent prescriptions: Until tighter security measures are implemented in EHRs, it’s on the pharmacist to have the due diligence to recognize a fake prescription.
As an example of this due diligence, Hager provided an example of a pharmacist who took the time to analyze one of their unusual prescriptions. After a quick Google search of the information on the provider’s prescription, the pharmacist in question found that the phone number and office address were for unrelated businesses while coming from a provider who had never filled a prescription with that pharmacy—all of which are red flags.3
With the opioid epidemic persisting in the US and technology advancing, bad actors are more motivated than ever to access highly sought drugs including oxycodone, promethazine with codeine, and amphetamines.3
The 21-year-old arrested in January, for example, was able to hack EHRs, fill prescriptions, and have drug runners pick them up to then sell at a premium on the street because they were coming from certified pharmacies. It was only until his runners went to pick up $14,000 worth of prescriptions when the illegal drug ring was eventually exposed.1
“Thank goodness I have this opportunity to talk to all of you today. I really, really hope that you will go tell your friends and that again, as this word gets out there, it's going to be harder and harder and harder for our bad actors to be successful,” concluded Hager.1
