St. Jude Medical Files Lawsuit Over Device Security ReportCardiac Device Maker Contends Report Fueled by Profits, Not Safety Concerns
In a lawsuit, St. Jude Medical claims that a recent report alleging dangerous cybersecurity vulnerabilities in its implantable cardiac devices was financially motivated and contained false statements and "market-bombshell scare tactics."
The federal lawsuit against short-seller Muddy Waters Capital, startup research firm MedSec Holdings, and three principal individuals, filed Sept. 7, alleges defamation by implication, deceptive trade practices, violations of certain federal and Minnesota state statutes and civil conspiracy.
St Jude Medical is seeking, among other things, "disgorgement of profits made by defendants," damages to be determined at jury trial, treble damages for alleged violations of certain statutes and attorneys' fees and other costs.
In addition to the two companies, the suit also names as defendants Muddy Waters CEO Carson Block, MedSec CEO Justine Bone, and Hemal Nayak, M.D., a physician at the University of Chicago Medicine, who is an adviser to MedSec and sits on its board of directors.
"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again," Michael Rousseau, president and CEO at St. Jude Medical, said in a statement.
"We believe this lawsuit is critical to the entire medical device ecosystem - from our patients who have our lifesaving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme."
Muddy Waters and MedSec did not immediately respond to ISMG's request for comment on the lawsuit.
Sizing Up Impact of Lawsuit
The lawsuit could deter other investment firms or researchers tempted to also bypass notifying vendors or government agencies before going public with cybersecurity vulnerabilities findings in medical devices, says Joshua Corman, a founder of I Am The Cavalry, a grassroots, not-for-profit cyber safety organization and director of the Cyber Statecraft Initiative at the Atlantic Council.
"This lawsuit warns potential copycats that the consequences of releasing these kinds of reports is not as easy as short-selling stocks," he says. "You might need to add in legal fees later."
But by filing the suit, St. Jude Medical "also risks something being revealed during discovery" about the cybersecurity of its products or its related processes, he notes.
Center of Controversy
Muddy Waters publicly released on Aug. 25 a report based on MedSec's allegations of serious security flaws in certain St. Jude Medical devices without either firm first alerting the vendor or requesting review by federal regulators.
The stock price of St. Jude Medical fell on Aug. 25 after the investment firm revealed it had placed a bet that the device maker's shares would fall, based on the allegations by MedSec. Muddying the situation even more, MedSec had also taken the unusual step of entering a financial arrangement with Muddy Waters.
"Muddy Waters, MedSec, Carson Block, Justine Bone and Hemal Nayak are concerned only about profiting from the short-sale plays and not patient safety," the St. Jude Medical lawsuit contends. "Because defendants acted in concert and conspired with each other in their scheme to defame and disparage St. Jude, they are jointly responsible for all misconduct, false and misleading statements, and harms."
The lawsuit calls the release of the report an "intentional, willful and malicious scheme to manipulate the securities markets for their own financial windfall through an unethical and unlawful scheme premised upon falsehoods and misleading statements initially contained in [the] Muddy Waters report concerning St. Jude's implantable cardiac rhythm management devices."
St. Jude also alleges in its lawsuit that the actions of the defendants "blatantly disregard ethical standard practices in the cybersecurity community and FDA [Food and Drug Administration] guidance, which call for a legitimately concerned party to first convey any security-related concerns about medical devices to the company itself and/or any relevant government agency or public health authority. ... Defendants have attempted to scare patients into surrendering demonstrated benefits [of cardiac rhythmic management devices] by unplugging their St. Jude Merlin@home devices [or] 'remote transmitters,' based on false and misleading information."
The report issued by Muddy Waters and MedSec alleged that MedSec found "key vulnerabilities" in St. Jude Medical implantable pacemaker and defibrillator devices that can "apparently be exploited by low-level hackers." The investment firm wrote in its report that the vulnerabilities found were a "magnitude more worrying than the medical device hacks that have been publicly discussed in the past."
In the lawsuit, St Jude Medical continues to refute the MedSec claims, noting that the device maker has taken a variety of measures addressing and improving security of its cardiac products. Those steps include:
- Enlisting internal and third-party experts in designing and testing security measures in cardiac devices, as well as in ongoing security updates and enhancements.
- Providing remote automated security updates for remote transmitters, which interface with patients' implants. Patient identifiable data transferred by St. Jude's Remote Transmitters are sent over an encrypted channel.
- Following "applicable protocols" for making product changes and updates, including those that have gone through FDA's pre-market approval process;
- Submitting to FDA cybersecurity risk assessments for new cardiac products as well as legacy devices.
The St. Jude lawsuit also claims that a team of medical device cybersecurity researchers at the University of Michigan subsequently "debunked" certain claims in the Muddy Waters report.
But Kevin Fu, associate professor of electrical engineering and computer science at the University of Michigan, tells Information Security Media Group in a Sept. 7 statement: "The Michigan report did not express an opinion on the security of the St. Jude device; rather, the report said that the MedSec report was inconclusive because we could reproduce the same result without the device malfunctioning. That is why I always recommend peer review to validate claims."
FDA Weighs In
In a statement to ISMG, the FDA says it's working with the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team to investigate the findings of the Muddy Waters/MedSec report. "At the present time, patients should continue to use their devices as instructed and not change any implanted device," according to the statement. "The FDA will provide updates as we learn more. In the interim, if a patient has a question or concern they should talk with their doctor.
"In managing cybersecurity threats, the FDA encourages manufacturers to stay vigilant and correct vulnerabilities with their products in a proactive manner."
The primary goal of conducting security research on medical devices should be to make products safer and protect patients from harm, notes privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.
"These goals are best met through conducting research using a scientific methodology which values the sharing of research and validation of suspected vulnerabilities along with notification to vendors and regulatory agencies responsible for patient safety," he says. "Publicizing vulnerabilities in medical devices without offering the end user or patient a solution to mitigate the security threat seems to only create hysteria and sow distrust in the safety of medical devices in the marketplace."