Gilead ruled in breach for failing to comply with an undertaking: Biktarvy tolerability claim remained on website

• ViiV Healthcare UK Ltd alleged Gilead Sciences Europe Ltd breached an undertaking given in Case AUTH/3137/12/18 by continuing to use the claim that Biktarvy (bictegravir/emtrictabine/tenofovir) was “Better tolerated than DTG [dolutegravir] – containing regimens”.
• The claim had been ruled in breach by the Code of Practice Appeal Board on 9 October 2019 (following an unsuccessful appeal by Gilead).
• Gilead was informed of the appeal outcome on 6 November 2019 and provided an undertaking dated 18 November 2019 accepting the Appeal Board’s decision.
• ViiV provided screenshots dated 20 November 2019 showing the claim still appeared on a UK-accessible website owned by Gilead.
• The complaint was also taken up in the name of the Director because the Authority was responsible for ensuring compliance with undertakings.
• Gilead investigated and identified similar material on password-protected health professional pages of its hiv.eu website; corrective action was taken on 22 November 2019 to remove the claims.

• The Panel ruled there had been a failure to comply with the undertaking given in Case AUTH/3137/12/18.
• A breach of Clause 29 was ruled (as acknowledged by Gilead).
• A breach of Clause 9.1 was ruled (as acknowledged by Gilead) because high standards had not been maintained.
• The Panel ruled a breach of Clause 2, finding the failure to comply with the undertaking brought discredit upon, and reduced confidence in, the pharmaceutical industry.

• Clause 29 (Breach of undertaking) – Breach ruled.
• Clause 9.1 (High standards) – Breach ruled.
• Clause 2 (Discredit to the industry) – Breach ruled.

No explicit additional sanctions stated beyond the required undertaking/corrective actions described in the report

Why this matters: Undertakings underpin self-regulation. If material ruled in breach remains live after an undertaking is signed, it undermines confidence in compliance controls and can escalate a matter into a Clause 2 (industry discredit) issue.

Where teams typically slip up (interpretation):

• Assuming a single channel takedown (e.g., public pages) covers all instances, while mirrored, archived, or password-protected pages remain live.
• Relying on manual web edits without a documented “all properties” sweep (country access, HCP gates, subdomains, PDFs, cached assets).
• Signing an undertaking before confirming technical removal across all owned digital estates and third-party hosting arrangements.

The control that would have prevented it: A formal post-ruling/undertaking takedown SOP requiring a complete inventory-based sweep of all owned digital properties (including gated HCP areas) with evidence of removal and a second-person verification before confirming completion.

What I’d check in the job bag:

• The undertaking text and internal sign-off record, including the scope definition of “material in question and any similar material”.
• A channel inventory showing all locations where the claim could appear (public site, HCP site, subdomains, downloadable assets).
• Takedown tickets/change logs showing what was removed, by whom, and when (including the 22 November corrective action).
• QA evidence (screenshots/URL list) demonstrating the claim was removed from each location after the undertaking date.
• Root-cause analysis and CAPA documenting how the claim remained live two days after the undertaking and how recurrence will be prevented.

What the sanctions tell you (interpretation):

• Even without explicit extra sanctions stated in the summary, the ruling shows the Panel treats undertaking compliance as a high-stakes control point.
• Failure to execute promptly can convert an operational lapse into a reputational breach (Clause 2).
• Panels may accept prompt corrective action, but still rule breaches where the undertaking was not complied with “forthwith”.

3 questions to ask your team this week:

1. Do we have a documented, repeatable process to remove ruled-in-breach claims from every owned digital location (including gated/HCP pages) within 24–48 hours?
2. Before we sign an undertaking, do we verify and evidence that all instances are already removed (or have a timed plan with accountable owners)?
3. How do we prove completion—what audit trail (URLs, screenshots, change logs) would we provide if challenged two days later?