Merck & Co. has been guarded with the details of how extensive the effects of the Petya malware attacks were on its manufacturing operations, but now it is going to have to come clean. The House committee on Energy and Commerce wants Merck CEO Ken Frazier to give it the scoop on what exactly happened and what his company has been doing about it.
Committee Chairman Rep. Greg Walden, R-Ore., and Rep. Tim Murphy, R-Penn., chairman of the subcommittee on oversight and investigations, in a letter (PDF) Wednesday, asked Frazier to report by Oct. 4 on the “circumstances surrounding Merck’s initial infection by NotPetya, as well as what steps it has taken in order to recover and resume full manufacturing capabilities.”
The Congressional committee has made (PDF) essentially the same request of Tom Price, secretary of Health and Human Services, asking what he is doing to protect life-saving medicines from future disruption.
When the malware attack in late June infected unprotected computer systems across the globe, Merck confirmed on Twitter that it was among those hit, providing no other details.
A month later in its second-quarter earnings call, Merck acknowledged that its manufacturing network worldwide had been badly affected by the attack and that it was still working to restore all of its manufacturing. It said its API processing was still not operational.
The company insisted that it could continue to supply its top products, including its highly successful cancer medication Keytruda, but warned it may have temporary delays in fulfilling orders for certain other products in some markets.
It said through significant effort it had been able to keep clinical trials on track. While some sales operations were also disrupted, the company said it did not have any appreciable impact on revenues—although its guidance would have been pegged higher were it not for the malware infection.
In an email today Merck simply said: “We have been in contact with the committee and have offered to brief them at any time. Patients are our top priority and, since the cyberattack, we have prioritized medicines and vaccines that are considered life-saving or medically significant. We are confident in the continuous supply of our key products.”
But Walden and Murphy want specifics. In their letter to Price they said that while they know Merck was not the only company affected by the attack, its manufacturing problems are set apart by the fact that it is “a supplier of life-saving drugs ... and raises the possibility of more serious consequences for the health care sector as a whole.”
That is why they said they need Price to help them understand what HHS has done to get to understand the impact of the attack fully and what it is is going to do about any “drug shortages or other associated consequences caused by cyber infections such as the NotPetya malware strain.”