House committee takes interest in ‘NotPetya’ malware attack fallout

House Energy and Commerce Committee leaders are concerned that a malware attack from late June 2017, known as “Petya” or “NotPetya,” may have lingering effects on Merck & Co, Inc. The leaders sent letters to Merck’s CEO and HHS Secretary Price expressing this concern and requesting additional information about the attack and the effects on the company.

NotPetya

The malware infection began on June 27, 2017, and spread across the world, infecting businesses from a variety of sectors. At the time of the attack, the extent of Merck’s vulnerability was not precisely known, although an employee reported that they were told to stop working and some computers appeared to be wiped and that all U.S. offices were affected by the attack. The committee letters referred to information provided in Merck’s second-quarter 2017 financial outlook, which stated that packing operations were mostly restored, formulation operations were partially restored, and active pharmaceutical ingredient operations were partially restored but bulk product was not yet being produced.

Patient risk

The committee’s interest in the matter stemmed from concern that patients may have been negatively impacted by manufacturing disruption. Although evidence of such risk was not present, the committee pointed to an announcement from the Centers for Disease Control and Prevention (CDC) that certain formulations of Merck’s Hepatitis B vaccine would not be available. The committee requested that Merck provide a formal briefing to the committee on the initial infection and Merck’s steps to recover and resume manufacturing by October 4, 2017. The committee also requested an HHS briefing on the agency’s steps to understand and respond to the situation as well as plans for addressing drug shortages or other consequences stemming from cyberattacks.