Merck Data Breach: Financial Account Information Exposed

On Sept. 22, 2025, a Merck Sharp & Dohme LLC ("Merck"), a pharmaceutical company headquartered in New Jersey, was notified that one of its U.S.-based service providers, Graebel Companies, experienced a data breach, that exposed sensitive personal information of current and former employees.

The cybersecurity incident was disclosed to the Massachusetts Attorney General’s office on Nov. 17, 2025. The total number of affected individuals is not yet known, but based on the type of information exposed, it could be significant.

Compromised data may include names, dates of birth, addresses, phone numbers, Social Security numbers, and financial account information. The exposure of personally identifiable information (PII) and financial information, puts individuals at risk for identity theft and fraud.

Merck’s response

In response to the incident, Merck worked closely with Graebel to understand the scope and impact of the breach. Graebel implemented incident containment measures and enhanced its security protocols. Merck has communicated directly with affected individuals and is offering complimentary credit monitoring and identity theft protection services through TransUnion for 24 months.

If you receive notification from Merck or your provider about this breach, you may want to:

• Sign up for the free TransUnion identity monitoring services, offered by Merck.
• Monitor your credit reports and financial accounts for any unusual activity.
• Be alert for phishing emails or phone calls that may use your exposed information.
• Consider placing a fraud alert or credit freeze with major credit bureaus.