September 8, 2017: Galena Biopharma Inc. to Pay More than $7.55 Million to Resolve Alleged False Claims Related to Opioid Drug

OCI Small Clear Seal 


Food and Drug Administration 
Office of Criminal Investigations


Galena Biopharma Inc. (Galena) will pay more than $7.55 million to resolve allegations under the civil False Claims Act that it paid kickbacks to doctors to induce them to prescribe its fentanyl-based drug Abstral, the Department of Justice announced today.


“Given the dangers associated with opioids such as Abstral, it is imperative that prescriptions be based on a patient’s medical need rather than a doctor’s financial interests,” said Acting Assistant Attorney General Chad A. Readler of the Justice Department’s Civil Division. “The Department of Justice intends to vigorously pursue those who offer and receive illegal inducements that undermine the integrity of government health care programs.”


“The conduct alleged by the government and resolved by today’s settlement was egregious because it incentivized doctors to over-prescribe highly addictive opioids,” said Acting U.S. Attorney William E. Fitzpatrick for the District of New Jersey. “This settlement constitutes another example of the Department of Justice’s ongoing efforts to battle the opioid epidemic on every front.”


The United States contends that Galena paid multiple types of kickbacks to induce doctors to prescribe Abstral, including providing more than 85 free meals to doctors and staff from a single, high-prescribing practice; paying doctors $5,000, and speakers $6,000, plus expenses, to attend an “advisory board” that was partly planned, and attended, by Galena sales team members and paying approximately $92,000 to a physician-owned pharmacy under a performance-based rebate agreement to induce the owners to prescribe Abstral. The United States also contends that Galena paid doctors to refer patients to the company’s RELIEF patient registry study, which was nominally designed to collect data on patient experiences with Abstral, but acted as a means to induce the doctors to prescribe Abstral. Galena has not marketed any pharmaceutical drug since the end of 2015.


Two of the doctors who received remuneration from Galena were tried, convicted and later sentenced to prison in the U.S. District Court for the Southern District of Alabama following a jury trial of, among other counts, offenses relating to their prescriptions of Abstral. Galena cooperated in that prosecution.


The settlement resolves a lawsuit filed by relator Lynne Dougherty under the whistleblower provisions of the False Claims Act, which permit private parties to file suit on behalf of the United States and obtain a portion of the government’s recovery. As part of today’s resolution, Ms. Dougherty will receive more than $1.2 million. The matter remains under seal as to allegations against entities other than Galena.


The settlement is the result of a coordinated effort by the Civil Division’s Commercial Litigation Branch and the U.S. Attorney’s Office for the District of New Jersey, with assistance from the Department of Health and Human Services Office of Counsel to the Inspector General, and the Food and Drug Administration Office of Criminal Investigations’ Metro Washington Field Office.


The claims settled by this agreement are allegations only; there have been no admissions of liability by Galena.



False Claims Act

Healthcare Fraud



Civil Division

USAO – New Jersey


Press Release Number: 





Posted in Security | Leave a comment

Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop

Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time — when hackers accessed the company’s systems in mid-May 2017.


Both Visa and MasterCard frequently send alerts to card-issuing financial institutions with information about specific credit and debit cards that may have been compromised in a recent breach. But it is unusual for these alerts to state from which company the accounts were thought to have been pilfered.

In this case, however, Visa and MasterCard were unambiguous, referring to Equifax specifically as the source of an e-commerce card breach.

In a non-public alert sent this week to sources at multiple banks, Visa said the “window of exposure” for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017. A similar alert from MasterCard included the same date range.

“The investigation is ongoing and this information may be amended as new details arise,” Visa said in its confidential alert, linking to the press release Equifax initially posted about the breach on Sept. 7, 2017.

The card giant said the data elements stolen included card account number, expiration date, and the cardholder’s name. Fraudsters can use this information to conduct e-commerce fraud at online merchants.

It would be tempting to conclude from these alerts that the card breach at Equifax dates back to November 2016, and that perhaps the intruders then managed to install software capable of capturing customer credit card data in real-time as it was entered on one of Equifax’s Web sites.

Indeed, that was my initial hunch in deciding to report out this story. But according to a statement from Equifax, the hacker(s) downloaded the data in one fell swoop in mid-May 2017.

“The attacker accessed a storage table that contained historical credit card transaction related information,” the company said. “The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.”

Equifax did not respond to questions about how it was storing credit card data, or why only card data collected from customers after November 2016 was stolen.

In its initial breach disclosure on Sept. 7, Equifax said it discovered the intrusion on July 29, 2017. The company said the hackers broke in through a vulnerability in the software that powers some of its Web-facing applications.

In an update to its breach disclosure published Wednesday evening, Equifax confirmed reports that the application flaw in question was a weakness disclosed in March 2017 in a popular open-source software package called Apache Struts (CVE-2017-5638)

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” the company wrote. “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

The Apache flaw was first spotted around March 7, 2017, when security firms began warning that attackers were actively exploiting a “zero-day” vulnerability in Apache Struts. Zero-days refer to software or hardware flaws that hackers find and figure out how to use for commercial or personal gain before the vendor even knows about the bugs.

By March 8, Apache had released new versions of the software to mitigate the vulnerability. But by that time exploit code that would allow anyone to take advantage of the flaw was already published online — making it a race between companies needing to patch their Web servers and hackers trying to exploit the hole before it was closed.

Screen shots apparently taken on March 10, 2017 and later posted to the vulnerability tracking site xss[dot]cx indicate that the Apache Struts vulnerability was present at the time on — the only web site mandated by Congress where all Americans can go to obtain a free copy of their credit reports from each of the three major bureaus annually.

In another screen shot apparently made that same day and uploaded to xss[dot]cx, we can see evidence that the Apache Struts flaw also was present in Experian’s Web properties.

Equifax has said the unauthorized access occurred from mid-May through July 2017, suggesting either that the company’s Web applications were still unpatched in mid-May or that the attackers broke in earlier but did not immediately abuse their access.

It remains unclear when exactly Equifax managed to fully eliminate the Apache Struts flaw from their various Web server applications. But one thing we do know for sure: The hacker(s) got in before Equifax closed the hole, and their presence wasn’t discovered until July 29, 2017.

Tags: , , , , ,

Posted in Security | Leave a comment

Hacking Robots


Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.

Posted in Security | Leave a comment

Investor Bulletin: Financial Professionals’ Use of Professional Honors – Awards, Rankings, and Designations

The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to educate individual investors about the professional awards, rankings, and designations that financial professionals often use to market themselves to prospective clients.

Financial professionals often use awards, rankings, and designations to distinguish themselves from their competitors, including to imply a higher degree of sophistication, expertise or success than others in the same profession.  While in some cases this type of information may help an investor make an informed decision in choosing a financial professional, in some cases it can be misleading – some professional awards, rankings, and designations provide little or no basis on which to judge the skill or abilities of the financial professional.  

If a financial professional publicizes any professional awards, rankings or designations, there may be circumstances that make the award, ranking, or designation less meaningful or misleading, including:

  • the criteria to receive the award or designation was so minimal that essentially any person who submitted an application would receive the award or designation;
  • the financial professional or firm paid a fee to receive an award, ranking, or designation;
  • the financial professional was required to be a member of an organization to receive the award, ranking, or designation;
  • the financial professional misrepresented his or her rank by using a generic statement claiming he or she is the top financial professional on the list where the members are not rank-ordered;
  • the financial professional omitted the geographic scope of an award, such as where the ranking is based on a small, regional area;
  • the financial professional included false or misleading information on the application for the award or designation that could call into question whether he or she validly received the award; and
  • the financial professional continues to use professional designations that have lapsed.

You should be cautious in evaluating a financial professional based on any professional awards, rankings or designations they may have.  There are some steps you can take to understand awards, rankings, and designations better.

  • Look for details and explanations of the award, ranking, or designation in the materials the financial professional has provided.  If there aren’t any details or explanations, ask the financial professional or perform your own research.

Keep in mind that the SEC does not endorse any professional award, ranking, or designation.

You should always look beyond a financial professional’s awards, rankings, or designations to determine whether he or she can provide the type of financial services or products you need.

Additional Information:

Investor Bulletin:  Top Tips for Selecting a Financial Professional

Investor Alert:  Beware of False or Exaggerated Credentials

Investor Bulletin:  Making Sense of Financial Professional Titles

Investor Bulletin:  “Senior” Specialists and Advisors:  What you Should Know About Professional Designations

NEP Risk Alert: The Most Frequent Advertising Rule Compliance Issues Identified in OCIE Examinations of Investment Advisers 

The Office of Investor Education and Advocacy has provided this information as a service to investors. It is neither a legal interpretation nor a statement of SEC policy. If you have questions concerning the meaning or application of a particular law or rule, please consult with an attorney who specializes in securities law.

Posted in Security | Leave a comment

September 12, 2017: Former Paramedic Pleads Guilty to Stealing Pain-killing Drugs, Replacing Vials with Water

OCI Small Clear Seal 


Food and Drug Administration 
Office of Criminal Investigations


KANSAS CITY, Mo. – Tom Larson, Acting United States Attorney for the Western District of Missouri, announced that a former paramedic with two northwest Missouri ambulance districts pleaded guilty in federal court today to stealing pain-killing drugs and replacing the vials with water.


Joseph L. Comstock, 31, of Bethany, Mo., waived his right to a grand jury and pleaded guilty before U.S. District Judge Beth Phillips to a federal information that charges him with three counts of tampering with a consumer product (fentanyl and morphine) with reckless disregard for the risk that another person would be placed in danger of death or bodily injury, and under circumstances manifesting extreme indifference to such risk.


By pleading guilty today, Comstock admitted that he emptied vials of morphine and fentanyl, taking it for his own personal use, and replaced the pain-killing drugs with sterilized water. Comstock tampered with the drug vials while working at both the NTA Ambulance District in Bethany and the Community Ambulance District of Daviess County in Gallatin, Mo., in 2014 and 2015.


Comstock started tampering with drugs in March 2014, following a medical procedure to remove his tonsils. He accessed drugs on ambulances and was able to bend up the lid of the plastic boxes and dump out the drugs he wished to tamper with. He obtained both fentanyl and morphine from ambulances and replaced the drugs with sterile water.


Comstock admitted there were at least two occasions where he personally treated patients with drugs he knew he had tampered with. These patients were both hip fracture patients that were supposed to receive fentanyl but instead received sterile water that Comstock had replaced in the vial.


Federal officials were notified on March 4, 2015, of possible drug tampering at the NTA Ambulance District in Bethany. The chief of EMS reported that an employee had noticed two morphine syringes had broken tamper-evident seals. On Jan. 30, 2015, an employee noticed that two morphine syringes had broken tamper-evident seals. On Feb. 27, 2015, ambulance employees looked through narcotic boxes kept on the three NTA ambulances. They found a number of drugs that were missing tamper-evidence caps and had broken tamper-evident seals, including midazolam, lorazepam, morphine and fentanyl.


Federal agents installed surveillance equipment at the Bethany NTA building on March 18, 2015. A camera was also placed on an ambulance, which was taken out of service. Comstock was recorded on the surveillance video as he stole morphine from the ambulance on two separate occasions on March 19 and March 23, 2015. Comstock later admitted that he had tampered with drugs on all the ambulances prior to that as well.


Comstock also admitted that he tampered with drugs when he visited the Gallatin ambulance building on Feb. 24, 2015. An employee found Comstock (who had stopped working at the Gallatin ambulance company in June 2014) inside the Gallatin ambulance building. Comstock explained he had come by the Gallatin facility to use the treadmill. Later that same day, the employee went on a service call and treated a man suffering from leg pain with 100 mcg of fentanyl; however, the man did not receive any pain relief. When the employee returned, he examined the narcotics cabinet and found several fentanyl vials with loose caps, as well as morphine that appeared to have been tampered with.


The Gallatin ambulance director told federal agents about another suspicious situation at his ambulance building involving Comstock that occurred a week earlier. On Feb. 17, 2015, Comstock stopped by the ambulance building to visit with another paramedic. The next day, another employee checked the narcotics cabinet and noticed two fentanyl vials without their tamper-resistant caps. Subsequently several other fentanyl vials were discovered to have been tampered with.


Under federal statutes, Comstock is subject to a sentence of up to 10 years in federal prison without parole on each of the three counts. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendants will be determined by the court based on the advisory sentencing guidelines and other statutory factors. Sentencing hearings will be scheduled after the completion of presentence investigations by the United States Probation Office.


This case is being prosecuted by Assistant U.S. Attorney Justin G. Davids. It was investigated by the Food and Drug Administration – Office of Criminal Investigation and the Bethany, Mo., Police Department.



USAO – Missouri, Western



Posted in Security | Leave a comment