Lawmakers ask Merck, HHS for more information about NotPetya malware attack

Merck
Lawmakers say the June malware attack raises concerns about a potential drug shortage.

Two Republican lawmakers have asked Merck and the Department of Health and Human Services to provide a House committee with more information about the NotPetya malware attack that continues to disrupt manufacturing operations for the pharmaceutical giant.

Rep. Greg Walden, R-Oregon, and Rep. Tim Murphy, R-Pennsylvania, asked HHS Secretary Tom Price to brief the Committee on Energy and Commerce by October 4 regarding the actions HHS has already taken to respond to the June malware attack and the continued disruptions, as well as the agency’s plans and procedures for addressing a drug shortage caused by the cyberattack.

In a second-quarter financial filing, Merck acknowledged that the cyberattack—known as Petya and NotPetya—disrupted manufacturing, research and sales operations, but added the company “does not yet know the full magnitude of the impact of the disruption, which remains ongoing in certain operations.”

RELATED: Pennsylvania health system, U.S. drugmaker hit by global ransomware attack

That raised concerns from the two lawmakers, who highlighted a recent vaccine shortage update from the CDC indicating Merck would not be distributing its adult hepatitis B vaccine until the end of 2018. It’s not clear whether the disruptions caused by the NotPetya attack were the cause.  

“Though cybersecurity has been of increasing concern over the last several years, especially within the healthcare sector, the NotPetya infection represents a new challenge in that it is one of the first known instances in which a malware infection disrupted a company’s physical manufacturing capabilities,” the lawmakers wrote in a letter (PDF) to Price. “While Merck was not the only company to suffer degraded capabilities during the June 27 outbreak, Merck’s role as a supplier of life-saving drugs and other medical products sets its infection and subsequent manufacturing issues apart and raises the possibility of more serious consequences for the health care sector as a whole.”

RELATED: Healthcare data breaches are 'significantly underreported' as information sharing challenges persist

Walden, who serves as chair of the Committee on Energy and Commerce, and Murphy, who chairs the Subcommittee on Oversight and Investigations, echoed those sentiments in a letter (PDF) to Merck CEO Kenneth Frazier, requesting more information on the initial attack and the subsequent efforts to resume manufacturing.

Merck’s chief information security officer Terry Rice has previously testified that cybersecurity incidents are “significantly underreported” and called for more coordination with federal agencies. Rice also served on the HHS Cybersecurity Task Force that released a report spelling out the “urgent challenge” cybersecurity presents across the healthcare industry.