St. Jude Medical Sues Muddy Waters/MedSec; FDA to Investigate Allegations

On Wednesday this week, St. Jude Medical announced it had filed a lawsuit against Muddy Waters and MedSec Holdings for intentionally disseminating ‘false and misleading’ information about the company’s medical devices in order to devalue stock and profit from the disclosure. St. Jude Medical is seeking unspecified damages and the forfeiture of all investment profits.

Short-sellers profit from the devaluation of stock by borrowing shares and selling them prior to an expected fall in stock prices. When the price falls, the stock is repurchased and returned to the lender. Fees are paid to the lender of the stock and any profits made are retained by the short-seller. In this case, MedSec was paid a consultancy fee by Muddy Waters for providing the research and the company stands to receive a share of any profits made by Muddy Waters.

Following the publication of the Muddy Waters report, stock prices fell by approximately 10%, although they later recovered some of their value and are now trading at around 3-4% lower than before the Muddy Waters report was published.

St. Jude Medical has denied that there are security vulnerabilities in its defibrillators, monitors, and pacemakers and claims it has a number of cybersecurity protections in place to ensure its devices are protected from cyberattacks.

Researchers at the University of Michigan attempted to reproduce the crash of the devices, but while error screens were generated, the researchers interpreted them differently. They were not believed to indicate that the devices had been caused to crash. The researchers said the evidence of a device crash, as detailed in the Muddy Waters report, was inconclusive.

According to Chief Executive Michael T. Rousseau, “We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cyber security concerns, do not use this avenue to do so again.”

Muddy Waters and MedSec said they will “vigorously defend [the] right to criticize” St. Jude Medical.

FDA Investigating Allegations of Device Vulnerabilities

The Food and Drug Administration is investigating the allegations that certain St. Jude Medical devices have security flaws that could potentially be exploited to cause patients to come to harm. The investigation commenced shortly after the publication of the Muddy Waters report.

The FDA has a responsibility to the public, and when information comes to light that suggests consumers may be at risk of harm, it is obliged to conduct an investigation. The FDA’s Suzanne Schwartz told Reuters “We are putting all of our focus on making sure that we have an understanding of what these allegations are and do a thorough investigation of the claims.”

The FDA has previously issued guidelines covering medical devices security vulnerabilities and recommends that security researchers work with the manufacturers of those devices to ensure flaws are addressed. MedSec chose not to notify the St. Jude Medical of the flaws, and instead took the information to a short-selling firm.

Justine M. Bone, chief executive officer of MedSec, said the decision to disclose the firm’s research to Muddy Waters rather than St. Jude Medical was primarily because St. Jude had previously received numerous warnings about security vulnerabilities and had not taken sufficient action to address risk.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.