Following a cyberattack on Merck & Co., in June 2017, the US House of Representatives’ Energy and Commerce Committee has sent letters to the US Department of Health and Human Services (HHS) and Merck & Co. regarding the malware infection (NotPetya) and its potential connection with drug supply. The letters were signed by Energy and Commerce Committee Chairman Greg Walden (R-OR) and Oversight and Investigations Subcommittee Chairman Tim Murphy (R-PA).

The Congressmen are seeking additional information to better understand the nature of the cyberattack and the policies, plans, and procedures in place at the HHS to deal with potential drug shortages and supply issues in the event of cyberattacks. They are seeking a briefing by HHS and Merck & Co by October 4, 2017.

As part of its second-quarter earnings report on July 28, 2017, Merck & Co., provided an update on the impact on its operations resulting from the June network cyberattack that led to the disruption of its worldwide operations, including manufacturing, research, and sales operations. The letter cites the report as an initial source of information about the malware outbreak and how the company has been impacted.

The committee said, according to both news reports and recent public statements, Merck’s ability to supply some of its products may be affected due to lingering effects of the malware strain commonly known as NotPetya. “While there is no evidence, to date, that Merck’s manufacturing disruption has created a risk to patients, it certainly raises concerns,” said the letter to Merck & Co. “For example, in a recent update on national vaccine supply, the CDC [US Centers for Disease Control and Prevention] reported that Merck would not be distributing certain formulations of the hepatitis B vaccine. While it is unclear whether this is related to the NotPetya disruption, and much of the supply can be filled by other manufacturers, it does raise questions about how the nation is prepared to address a significant disruption to critical medical supplies,” the letter said.

“While it has long been understood that Merck was among those infected by this malware, the revelation that it continues to affect Merck’s operations adds to the growing list of concerns about the potential consequences of cyber threats to the healthcare sector. It is important, therefore, for the committee to understand the details of this event so we can work together to ensure appropriate lessons are identified and addressed,” the letter said.

The malware was largely contained after the initial outbreak, but had compromised businesses around the world, according to the committee. Known victims came from a variety of sectors including, but not limited to, shipping, food, marketing, oil, and legal.

Source: US House Energy and Commerce Committee