The Drug Enforcement Administration (DEA) recently alerted healthcare providers to a concerning trend: hackers tapping into patient electronic health records (EHRs) to steal doctors’ DEA registration numbers. Armed with those numbers, the thieves have been able to generate tens of thousands of bogus prescriptions and sell them online, the agency explained in a YouTube video.

“Electronic prescription fraud is a real emerging trend that we’re seeing all across the country,” said Erin Hager, a DEA diversion investigator in the Phoenix-Tucson Tactical Division Squad. “What’s happening is … bad actors … who have been conducting prescription drug fraud are now utilizing the internet and electronic health record platforms to create electronic prescriptions that they can then send nationwide.”

These activities can result in “a thousand fraudulent prescriptions using an unsuspecting doctor’s DEA number within a 14-hour time frame,” Ms. Hager said.

The DEA has found that illegal schemes to generate fake electronic prescriptions for controlled substances exploit vulnerabilities in e-script software. Larry Houck, JD, a former DEA diversion investigator and now a controlled substance regulatory attorney in Virginia, said EHR hacking is just another way for thieves to get access to DEA numbers, “instead of, say, stealing physician prescription pads.”

Stemming the fraud will require efforts from doctors, EHR firms and the technology companies that process prescriptions and pharmacists, the DEA said. Among the ways to stop the EHR-generated prescriptions, according to the agency, is for doctors to check their state DEA registration profile to determine which prescriptions have been written using their DEA registration number.

State boards of pharmacy are also becoming involved, as pharmacists contact them when they suspect or detect fraudulent prescriptions, said Doug Skvarla, the director of the Controlled Substances Prescription Monitoring Program at the Arizona Board of Pharmacy. “Pharmacists have a pulse [on] what’s going on with the prescribing habits within their neighborhoods,” said Mr. Skvarla, adding that when the Arizona Board of Pharmacy hears from pharmacists about fraudulent prescriptions, it contacts the local DEA office.

Ms. Hager said EHR hacking represents a new pattern in these reports. “For many years, pharmacy board calls to DEA tended to be about opioids laced with fentanyl and other products. Now, the rise in the number of actual pills that are pharmaceutical grade and coming out of the pharmacies is going to increase.”

Red Flags for Prescriptions

Recent cases show that the DEA can hold pharmacies liable for fraudulent prescriptions. In 2023, for example, CVS agreed to pay $70,000 to resolve allegations that it violated the Controlled Substances Act (CSA) at several stores. “Pharmacies have a legal responsibility to ensure that controlled substances are dispensed only pursuant to valid prescriptions,” said U.S. Attorney Jane E. Young in a statement. “When pharmacies ignore red flags that a prescription is fraudulent, they miss a critical opportunity to prevent prescription drugs from being misused or diverted for unlawful uses or into the black market.”

Based on its investigation, the government alleged that the pharmacists at CVS should have known that they were presented with invalid prescriptions that should not have been filled.

The DEA told Pharmacy Practice News that its Pharmacist’s Guide to Prescription Fraud outlines prevention techniques, controls and the responsibilities of pharmacists. “Pharmacy professionals are in a unique position and play an important role in detecting suspicious and fraudulent activity,” a DEA spokesperson said.

The DEA also has published a related document, the Pharmacist’s Manual, that provides important regulatory information, including details on CSA compliance. According to the manual’s preface, “DEA understands that it can best serve the public interest by working with the pharmacy community to prevent the diversion of pharmaceutical controlled substances ... into the illicit market.”

A DEA spokesperson recommended steps pharmacists can take to detect fraud:

• Check to see whether the prescribing clinician has a valid DEA registration and state license in the state where the prescription is being dispensed.
• Search the provider’s phone and address online to ensure the information is legitimate.
• Ask for identification from the person picking up the prescription.
• Use caution when dispensing to a person other than the patient for whom the drug is intended if that person does not have a valid form of identification or local address.
• Regularly check the prescription drug monitoring program in your state.

Pharmacists must be engaged in reviewing the prescriptions their pharmacies receive for dispensing, Mr. Houck said. “They are highly trained and should rely on and trust their professional judgment. If it seems that a prescription hasn’t been issued for a legitimate medical purpose, it probably wasn’t and requires further review.

“Pharmacists should also come to know the prescribers whose prescriptions are brought to their pharmacies,” Mr. Houck said. “And if you suspect a prescription is fraudulent, pick up the phone and call the doctor and ask if they wrote a prescription, rather than simply filling it.” (For more of Mr. Houck’s prevention tips, see “Drug Diversion and the DEA: Lessons Learned.”)

The sources reported no relevant financial disclosures.