Short-selling firm Muddy Waters said today that outside cybersecurity experts validated its claim that cardiac rhythm management devices made by St. Jude Medical (NYSE:STJ) are vulnerable to malicious hackers.
Muddy Waters and research firm MedSec Holdings, which both stand to gain financially from a decline in the price of STJ shares, 1st claimed in August that St. Jude’s Merlin@home remote patient monitoring system was vulnerable to hacking. Although St. Jude immediately denied the claims as completely false, its share price initially slid some -5% and is still off about -3% from its August 24 close; STJ shares were trading at $79.30 apiece today in mid-day activity, down -0.1%. Last week, in a release timed to coincide with St. Jude’s 3rd-quarter results announcement, the short seller posted a series of videos purporting to show cybersecurity vulnerabilities in the company’s cardiac rhythm management products.
St. Jude sued Muddy Waters, MedSec and their principals in September, accusing them of making false statements, false advertising, conspiracy and “the related manipulation of the public markets in connection with St. Jude Medical’s implantable cardiac management devices.” In its legal response to the lawsuit today, Muddy Waters included a report from a team led by outside consulting firm Bishop Fox that sought to repeat MedSec’s findings, “using only the technical details provided by MedSec” and St. Jude equipment provided by MedSec.
“My overall opinion regarding the security of the St. Jude Medical implantable cardiac device ecosystem is that the security measures I observed do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients. In particular, the wireless protocol used for communication among St. Jude Medical cardiac devices has serious security vulnerabilities that make it possible to convert Merlin@home devices into weapons capable of disabling therapeutic care and delivering shocks to patients at distances of 10 feet, a range that could be extended using off-the-shelf parts to modify Merlin@home units. I found that Muddy Waters’ and MedSec’s statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate,” wrote Carl Livitt, the Bishop Fox consultant who led the team.
A spokeswoman for St. Jude told MassDevice.com via email that the company brought the lawsuit “to hold these firms accountable for their false and misleading tactics, to set the record straight about the security of our devices, and to help cardiac patients and their doctors make informed medical decisions about our products that enhance and save lives every day.”
“We continue to feel this lawsuit is the best course of action to make sure those looking to profit by trying to frighten patients and caregivers are held accountable for their actions,” the statement read. “Our lawyers are reviewing the response from Muddy Waters and MedSec and will respond through appropriate legal channels.”