St. Jude Sues Over Cybersecurity Accusations

The lawsuit in federal court in Minnesota claims a conspiracy to manipulate St. Jude's stock through false accusations of cybersecurity flaws in the company's cardio devices.

Chris Newmarker

St. Jude Medical on Wednesday said it has filed a lawsuit in federal court against activist investor firm Muddy Waters Capital and cybersecurity outfit MedSec, as well as three principals in the firms.

The suit claims the firms sought to wrongly profit off a short-selling scheme involving St. Jude's stock, spreading false and misleading claims about the security of St. Jude's pacemakers and defibrillators in order to lower the value of the medical device company's stock. 

St. Jude Medical's stock fell about 5% in value on August 25, when Muddy Waters and MedSec made their claims about security vulnerabilities. The company's stock has yet to fully recover, though it was up about half a percent in value after news of the federal lawsuit on Wednesday. St. Jude now wants the firms to turn over their profits from the short-selling, as well as pay relief and damages. 

"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again," St. Jude Medical CEO Michael T. Rousseau said in a news release.

"We believe this lawsuit is critical to the entire medical device ecosystem--from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme," Rosseau said. 

Mark Carlson, vice president and chief medical officer at St. Jude Medical, added that the action was taken because of the "irresponsible manner in which these groups have acted."

Muddy Waters responded in a shared statement: "It is not unusual for a company like this to try to silence its critics, and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients."

Muddy Waters and MedSec have claimed appalling security problems related to a host of St. Jude cardio devices. They mentioned demonstrations of two types of attacks against St. Jude implantable cardiac devices: a "crash" attack leading to device malfunction or even pacing at a dangerous rate, and a battery drain attack. The weak spot in St. Jude's device ecosystem is its Merlin@home home monitoring systems, which Muddy Waters and MedSec described as "keys to the castle."

St. Jude Medical officials have claimed that the firms' report demonstrates a fundamental lack of understanding of medical device technology. They point to a University of Michigan study in which researchers reproduced experiments that led to the allegations, but came to "strikingly different conclusions." For example, the Michigan researchers found the error messages cited by Muddy Waters as proof of a successful "crash attack" into a home-monitored implantable cardiac defibrillator are simply the error alerts that display when the device is not properly plugged in. 

Besides Muddy Waters and MedSec, the lawsuit also names Muddy Waters founder and research director Carson Block, MedSec CEO Justine Bone, and Hemal Nayak, a University of Chicago professor who is a director and advisor to MedSec. The lawsuit claims they were all "concerned only about profiting from the short-sale plays and not patient safety."

St. Jude Medical also claims defamation around what is says were three false claims in the accusations: The batteries and telemetry circuitry in St. Jude's cardio devices are supposedly vulnerable to a "drain" attack, the devices are susceptible to a "crash attack" rendering them useless, and a lack of willingness on St. Jude's part to ensure the safety of its devices from such attacks. 

When it comes to the claim of depleting the batteries with an attack, St. Jude says MedSec's tests failed to replicate real world conditions simulating an implanted cardio device, and that such a drain attack cannot happen in such conditions.

The so-called "crash" they claimed to induce, according to St. Jude, was not a security flaw but actually a design feature: "Defendants claimed to have set off red warning lights and rendered a CRM device useless when in fact it was working as designed and providing continued therapy: a 'lockout' feature had simply stopped defendants in their tracks."

Muddy Waters, MedSec, Block, Bone, and Nayak "intentionally constructed their false implication about St. Jude's devices using nonspecific claims unsupported by any evidence, even though, pursuant to industry standards, defendants' researchers could have gained St. Jude's cooperation--directly and/or through governmental or other channels--to investigate their theories," St. Jude Medical claims in the lawsuit.

Chris Newmarker is senior editor of Qmed. Follow him on Twitter at @newmarker.

Like what you're reading? Subscribe to our daily e-newsletter.

[Image courtesy of AJEL on Pixabay.]