[BreachExchange] Recent Cyberattack on Merck & Co. Could Lead to Drug Shortage

Audrey McNeil audrey at riskbasedsecurity.com
Mon Sep 25 20:51:41 EDT 2017


http://www.pharmalive.com/recent-cyberattack-on-merck-co-could-lead-to-drug-
shortage/

Federal lawmakers are concerned that a recent cyberattack on pharma giant
Merck & Co. (MRK) could lead to numerous problems including a drug shortage.

Republican leaders on the House Energy and Commerce Committee issued a
letter to Health and Human Services Secretary Tom Priceraising raising
concern over the June cyberattack. First reported by The Hill, the
lawmakers said the malware strain known as NotPetya continues to negatively
impact Merck’s operations. That adds to the “growing list of concerns about
the potential consequences of cyber threats to the health sector,” the
letter said.

In June, Merck, among other global companies, was targeted by the hack,
which was believed to originate in the Ukraine. The virus, a type of
ransomware, shut down computer systems and sought to extort funds from
companies in order to release those compromised systems.

Since the attack, Merck has not fully returned to functionality, something
the federal lawmakers noted in their letter to Price. Citing Merck’s second
quarter report from the end of July, the lawmakers highlighted Merck’s
comments that the company is continuing to restore its manufacturing
operations. Merck has mostly restored its packaging operations and some of
its formulation operations. The company said its Active Pharmaceutical
Ingredient operations is not yet producing bulk content. Merck did note
that its external manufacturing was not impacted and was able to fill
orders and ship its products.

Although Merck noted it is still able to ship treatments, the lawmakers
told Price they are now concerned about potential supply chain breaks. As
an example, the legislators said the Centers for Disease Control noted
recently that Merck would not distribute certain formulations of its
hepatitis B vaccine. Legislators said it’s unclear whether or not this was
related to the ransomware attack, but “it does raise questions about how
the nation is prepared to address a significant disruption to critical
medical supplies.”

In July, Merck said its pediatric hepatitis B vaccine Recombivax HB would
not be available until 2018. The company said the shortage was due to
increased demand for the drug. The CDC said GlaxoSmithKline had adequate
supplies of its hep B drug Engerix-B hepatitis B, AAP News reported in July.

While GSK may have had supplies to cover the gap, lawmakers focused on how
such a shortage, particularly from a U.S.-based company could negatively
impact health care.

“While Merck was not the only company to suffer degraded capabilities due
to the June 27 outbreak, Merck’s role as a supplier of life-saving drugs
and other medical products sets it infection and subsequent manufacturing
issues apart and raises the possibility of more serious consequences for
the health care sector as a whole,” the lawmakers said in the letter.

Cyberattacks, particularly ransomware attacks, are expected to be on the
rise in the next few years. Earlier this summer, Kaspersky Lab’s APT trends
report for 2017 pointed to hackers targeting corporate interests, including
energy companies, TechRepublic reported. The House Republican lawmakers are
seeking information as to how HHS can address any potential drug shortages
due to cyberattacks. Additionally, they have asked for Merck to provide
them with a briefing by Oct. 4. A Merck spokesperson said the company has
offered to brief the legislative committee whenever it asks.

“Patients are our top priority and, since the cyber-attack, we have
prioritized medicines and vaccines that are considered life-saving or
medically significant. We are confident in the continuous supply of our key
products,” the spokesperson told Courthouse News.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170925/933f5524/attachment.html>


More information about the BreachExchange mailing list