In a release timed to coincide with St. Jude Medical‘s (NYSE:STJ) 3rd-quarter results announcement today, short-selling firm Muddy Waters posted a series of videos purporting to show cybersecurity vulnerabilities in the company’s cardiac rhythm management products.
Muddy Waters and research firm MedSec Holdings, which both stand to gain financially from a decline in the price of STJ shares, 1st claimed in August that St. Jude’s Merlin@home remote patient monitoring system was vulnerable to hacking. Although St. Jude immediately denied the claims as completely false, its share price initially slid some -5% and is still off about -3% from its August 24 close; STJ shares were trading at $79.30 apiece today shortly after the markets opened, down -0.2%.
The Muddy Waters website claims that the videos released today “demonstrate in detail 4 new attacks that show Merlin@homes can be made to broadcast potentially lethal commands to implantable devices.”
“Muddy Waters has heard from several whistleblowers and cardiologists who believe St. Jude has a history of ignoring problems that could have a significant impact on patients’ health,” a spokesman for the company, founded by well-known short-seller Carson Block, told MassDevice.com today via email.
It’s common practice for cybersecurity researchers to contact companies when they discover possible vulnerabilities, but neither Muddy Waters nor MedSec ever contacted the company with their cybersecurity concerns before making them public, a St. Jude spokeswoman told us this morning, also via email.
In a statement emailed to MassDevice.com, St. Jude called the release of the “unverified” videos “irresponsible.”
“This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry,” according to the statement. “Patients, physicians, and caregivers deserve better than the irresponsible release of information that is intended for financial gain and is unnecessarily frightening.”
The company, which this week said it would assemble a cybersecurity advisory panel to guide its development efforts, pledged to “once again work to quickly evaluate this new information.” St. Jude said it made 7 security updates to the Merlin@home device over the last 3 years.
“St. Jude Medical stands behind the security and safety of our devices,” the company said. “We have worked, and will continue to work, together with responsible researchers to understand and assess any claims and identify any potential vulnerabilities in our devices.”
During a conference call with analysts on the 3rd-quarter results, Rousseau said he expected Muddy Waters to continue to “mislead” investors and patients about the cyber safety of St. Jude’s devices.
When the firm1st aired its claims over the summer, St. Jude fired off a detailed rebuttal that Muddy Waters claimed instead proved its allegations. St. Jude retorted that the Muddy Waters video purporting to show a Merlin@home device succumbing to a hack actually showed that the device functioned just as designed; researchers at the University of Michigan, seeking to reproduce the faults alleged by the short seller, concluded that the initial report has “major flaws” and that the so-called Merlin@home system crash “are the same set of errors that display if the device isn’t properly plugged in.”
Material from Reuters was used in this report.