Infosec, Manufacturing

House committee wants to know a lot more about the cyberattack that damaged Merck

Up to now, Merck has been reluctant to go into much detail regarding just how damaging a recent cyberattack has been to operations. Now, though, it’s going to have to as the House Committee on Energy and Commerce has raised the matter to an issue involving national security.

Merck has acknowledged that the attack on June 27 roiled its manufacturing, sales and R&D ops. Drug and vaccine manufacturing was crimped weeks after the attack and Merck conceded that it would hamper annual revenue as the company continued to scramble to repair the crippling aftereffects.

Ken Frazier, the CEO of Merck, at the White House on July 20, 2017, one month prior to resigning from the President’s manufacturing council AFP PHOTO / SAUL LOEB

But the company has also been reluctant to spell out exactly how hard it was hit and where, leaving lawmakers looking to learn more about the impact and how a more effective cyberattack could wallop the entire healthcare sector.

The committee wrote:

While there is no evidence, to date, that Merck’s manufacturing disruption has created a risk to patients, it certainly raises concerns. For example, in a recent update on national vaccine supply, the CDC reported that Merck would not be distributing certain formulations of the Hepatitis B vaccine. While it is unclear if this is related to the NotPetya disruption, and much of the supply can be filled by other manufacturers, it does raise questions about how the nation is prepared to address a significant disruption to critical medical supplies.

In a statement to Endpoints News, Merck says supply issues with Recombivax HB are not related to the cyberattack and adds:

Merck is experiencing manufacturing constraints in 2017 related to the growing global demand for our vaccines and unexpected demand due to lack of competitive supply. Supply interruptions for the adult formulation of RECOMBIVAXHB began in the first quarter of 2017. Merck does not expect to be distributing RECOMBIVAXHB in the United States between now and the end of 2018. Additionally, Merck expects its pediatric formulation of RECOMBIVAXHB will be unavailable in the United States between early August 2017 until early 2018. The dialysis formulation of  RECOMBIVAXHB in the United States is not affected.

Lawmakers’ letter to Merck CEO Ken Frazier asks for a formal presentation detailing the cyberattack’s impact by October 4. The company says they’re in touch with the committee.

NotPetya was based on stolen NSA technology. Microsoft first encountered the virus with “worm capabilities” in 12,500 computers in Ukraine, which then spread laterally to another 64 counties including the United States, infecting computers that were not patched with critical updates.

Merck claims the patches were installed. At the time they said, “government authorities working with us have confirmed that the malware responsible for the attack contained a unique combination of characteristics that enabled it to infect company systems despite installation of recent software patches.”


The best place to read Endpoints News? In your inbox.

Comprehensive daily news report for those who discover, develop, and market drugs. Join 47,900+ biopharma pros who read Endpoints News by email every day.

Free Subscription

Research Scientist - Immunology
Recursion Pharmaceuticals Salt Lake City, UT
Director of Operations
Atlas Venture Cambridge, MA

Visit Endpoints Careers ->