St. Jude Medical Strikes Back

The cardiac device maker drops a lawsuit on Muddy Waters and MedSec that includes allegations of false statements and manipulation of the public markets.

Marie Thibault

St. Jude Medical has filed a lawsuit against research company Muddy Waters and cybersecurity company MedSec, alleging false statements, false advertising, conspiracy, and the related manipulation of the public markets.

The legal action is the latest development in the unfolding drama between the device maker and the duo, which started in late August when Muddy Waters published a research note claiming St. Jude's cardiac devices are more vulnerable to cybersecurity attacks and should be recalled. The device maker was not given prior notice of the findings. Basing it claims on an assessment by MedSec, Muddy Waters shorted St. Jude stock; MedSec reportedly was to receive financial compensation from this transaction. St. Jude Medical ($STJ) stock dropped 10% on August 25, the day the report was released, but has since recovered most of its losses.

The lawsuit, filed in the U.S. District Court for the District of Minnesota, names Muddy Waters Consulting LLC, Muddy Waters Capital LLC, MedSec Holdings, Ltd., MedSec LLC, and three principals as defendants. The suit alleges that the defendants "intentionally disseminated false and misleading information in order to lower the value of St. Jude Medical's stock and to wrongfully profit from a drop in share value through a short-selling scheme," according to a press release.

 Learn about emerging trends for medical device companies at the MD&M Minneapolis Conference, September 21-22.

"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again," Michael T. Rousseau, St. Jude Medical CEO and president, said in the release. He added, "We believe this lawsuit is critical to the entire medical device ecosystem--from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme."

A Muddy Waters spokesman told MD+DI, "It is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients."

MedSec did not immediately respond to a request for comment.

St. Jude Medical had hit back at the original research report in an August 26 rebuttal, but Muddy Waters doubled down on its claims in an August 29 note titled, "STJ: Still Non-Secure." Writing that the company's refutation included "fluff (~80%)," the research firm stated, "there are no changes to MedSec or our conclusions about the lack of security in the STJ device ecosystem, and our belief in the need for recall and remediation."

The battle continued, with St. Jude Medical claiming the next day that a video shown as proof of a crash actually showed a security feature.

In the lawsuit, St. Jude Medical included a third-party examination of the research report by experts from the University of Michigan. These experts "found that 'the evidence does not support their [Muddy Waters/MedSec] conclusions," according to the press release.

"Our top priority is to reassure patients, caregivers and physicians who use our life-saving devices that we are committed to the security of our products and to ensure patients and their doctors maintain ongoing access to the proven clinical benefits of remote monitoring," said Mark Carlson, vice president and chief medical officer at St. Jude Medical, in the release. 

Marie Thibault is the managing editor at MD+DI. Reach her at and on Twitter @medtechmarie.


Filed Under
500 characters remaining