St. Jude, Activist Investor Lock Horns Over Cybersecurity Report

Stock trading was halted Friday as St. Jude issued a longer rebuttal to Muddy Waters Capital's claims that St. Jude implantable cardio devices have major cybersecurity problems.

Chris Newmarker

St. Jude Medical on Friday accused activist investor firm Muddy Waters Capital and cybersecurity outfit MedSec of releasing a false and misleading report about the security of St. Jude devices.

The report had sent St. Jude stock down nearly 5% in value on Thurday after its release. But investors seemed calmed Friday by St. Jude's announcement: St. Jude's stock was down another 3% for the day before trading temporarily halted in the afternoon for the announcement, after which the stock rebounded to its starting point for the day at roughly $78 per share.

Such accusations from a short-selling, activist investment firm come at a delicate time for St. Jude Medical. Abbott Labs is in the process of acquiring St. Jude for $25 billion. Abbott officials have already become lukewarm over another merger they were planning: the $6 billion purchase of diagnostics company Alere, which is now suing Abbott to get the deal completed.

Muddy Waters and MedSec have claimed appalling security problems related to a host of St. Jude cardio devices. They mentioned demonstrations of two types of attacks against St. Jude implantable cardiac devices: a "crash" attack leading to device malfunction or even pacing at a dangerous rate, and a battery drain attack. The weak spot in St. Jude's device ecosystem is its Merlin@home home monitoring systems, which Muddy Waters and MedSec described as "keys to the castle."

The groups said in their report: "These units are readily available on Ebay, usually for no more than $35. Merlin@homes

generally lack even the most basic forms of security, and as this report shows, can be exploited to cause implanted devices to malfunction and harm users."

St. Jude on Friday offered a number of rebuttals to the report:

It relied on observations of older Merlin@home units that do not receive the automatic security updates that newer Merlin@home units receive when connected to the Internet. Even if a Merlin@home unit is not in use, it will automatically update when it comes back on line.
The report claimed an attack could be randomly directed at a St. Jude cardiac device within a roughly 50-foot radius, but the company's implantable devices only have wireless communication within a 7-foot range.
A screenshot of a Merlin programmer in the Muddy Waters report shows a device that is actually functioning normally, demonstrating a "fundamental lack of understanding of medical device technology" among the report's authors.

Muddy Waters in response described St. Jude's statement as a missed opportunity to take responsibility for the problems.

Said Muddy Waters: "St. Jude's response shows that it appears to ignore the nature of the vulnerabilities and the attacks that we described in the report. It's statement offers false assurances that the devices are secure and we intend to publicly refute the company's desperate attempt to brush the issue aside once again. At the end of the day, the longer St. Jude fails to take responsibility for these issues, the greater the risk to their users."

Structural Heart Opportunities and Challenges

TAVR and TMVR are among the hottest technologies in medtech right now. Learn what it takes to innovate in the structural heart space at the MD&M Minneapolis conference on September 21. Qmed readers get 20% off with promo code Qmed16.

Chris Newmarker is senior editor of Qmed. Follow him on Twitter at @newmarker. Editor-in-chief Jamie Hartford contributed to this report.

Like what you're reading? Subscribe to our daily e-newsletter.

[Image by Corwinhee - Own work, CC BY-SA 4.0]

Comments

Plain text