• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

  • Latest News
    • Cardiovascular
    • Orthopedics
  • Wall Street Beat
    • Funding Roundup
    • Mergers & Acquisitions
  • Podcasts & Webinars
    • Podcasts
    • Webinars
  • Resources
    • About MassDevice
    • Newsletter Signup
    • Leadership in Medtech
    • Manufacturers & Suppliers Search
    • MedTech 100 Index
    • Videos
    • Whitepapers
  • DeviceTalks Tuesdays
  • Coronavirus: Live updates
Home » UPDATE: St. Jude Medical denies short-seller’s accusations

UPDATE: St. Jude Medical denies short-seller’s accusations

August 25, 2016 By Brad Perriello

St. Jude MedicalUPDATED August 26, 2016, with St. Jude Medical’s rebuttal.

St. Jude Medical (NYSE:STJ) sharply rebutted allegations by a short-seller that nearly half of its cardiac rhythm management devices are extremely vulnerable to hackers.

St. Jude Medical vehemently denied the charges, with their top R&D executive calling them “absolutely untrue.”

Muddy Waters, the firm founded by well-known short-seller Carson Block, issued a report today accusing Little Canada, Minn.-based St. Jude of being “grossly negligent” in failing to safeguard its Merlin@home device, which connects with implanted pacemakers and defibrillators. The short-seller wants to disrupt the pending, $25 billion acquisition of St. Jude by Abbott (NYSE:ABT); Block is long on ABT shares, he told Reuters.

The Merlin@home devices “can be exploited to cause implanted devices to malfunction and harm users. We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable,” according to the Muddy Waters report.

“The vulnerabilities result from an apparent lack of device security; and, the communication protocols for the Cardiac Device ecosystem – which we believe lacks basic protections such as encryption and authentication – are in fact compromised,” according to the firm’s 33-page report. “As a result, an attacker can impersonate a Merlin@home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework.”

“The allegations are absolutely untrue,” St. Jude Medical chief technology officer Phil Ebeling said in an emailed statement. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.”

The accusations stem from a cybersecurity firm, Miami-based MedSec Holdings, that approached Muddy Waters after investigating St. Jude and 3 of its competitors. MedSec’s compensation for the research, however, it tied to Block’s short on STJ shares. And cybersecurity experts say there’s no economic rationale for the type of mass attack hypothesized in the Muddy Waters report.

“The lack of a clear business model for making money from hacking medical devices suggests that it’s unlikely we will see the types of mass attacks,” famed “white hat” medical device hacker Billy Rios told Bloomberg.

St. Jude questioned the validity of the report and defending the safety and security of its devices.

“We have examined the allegations made by Muddy Waters Capital and MedSec on August 25, 2016, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” St. Jude wrote in a prepared statement.

St. Jude reiterated that its remote monitoring is a “safe and effective means for patients to communicate with their physician,” and noted that remote monitoring has been documented in “leading publications” as a system that saves lives.

“At St. Jude Medical, we work with 3rd-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for our data and devices as part of our product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts. In addition, we collaborate with industry and governmental organizations to gain insight on recent trends and take appropriate action,” St. Jude wrote in a press release.

The company said that its Merlin@home units feature an automated remote upgrade process so that “security enhancements” are automatically installed when available.

“Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes. We want to reassure our patients that our systems meet the highest international security requirements, as required by regulatory authorities and international standards organizations,” St. Jude wrote in prepared remarks.

St. Jude denied the claims that the device’s battery could be depleted at 50-foot range, saying it would not be possible once the device is implanted into a patient, as it is limited to an approximate 7-foot range.

“This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients,” St. Jude wrote in a prepared release.

STJ shares were down -8.5% to $74.90 apiece as of about 12:40 Eastern today.

Filed Under: Cardiovascular, Wall Street Beat Tagged With: Muddy Waters, stjudemedical

In case you missed it

  • Report: Dexcom in talks to acquire Insulet
  • Henry Schein investors push back on executive pay
  • Alcon to pay $60M to acquire Kala Pharmaceuticals’ dry eye treatment
  • Creo Medical inks collaboration agreement with Intuitive
  • MedTrace Pharma moves forward on 15 O-water imaging tech
  • HistoSonics, GE Healthcare agree to integrate ultrasound into sonic beam liver therapy
  • Pfizer, BioNTech moving forward on seeking COVID-19 vaccine EUA for youngest children
  • Zimmer Biomet narrowly avoids shareholder rebuke on executive pay
  • FDA says Philips ventilator recall produced over 21,000 device reports, 124 deaths
  • Boston Scientific’s Acurate Neo2 valve performs well in studies
  • MicroTransponder reports first commercial implantation of its stroke rehab neurostim system
  • Ambu replaces CEO with new leadership
  • Moderna’s first bivalent COVID-19 vaccine booster candidate shows promise
  • AdvaMed joins Biden’s Joint Supply Chain Resilience Working Group
  • FDA clears Accelus’ Toro-L interbody fusion system
  • Teleflex’s UroLift cleared in China to treat BPH
  • Globus Medical announces first surgeries with Excelsius3D

RSS From Medical Design & Outsourcing

  • Henry Schein investors push back on executive pay
    Nearly half of Henry Schein (Nasdaq:HSIC) shareholders who voted at this month’s annual meeting voted against the company’s pay packages for top executives, according to a new SEC filing. About 48.5% of voting shareholders voted against the company’s executive pay plan in what’s known as the Say-on-Pay vote, according to vote results of the May… […]
  • Creo Medical inks collaboration agreement with Intuitive
    Creo Medical Group (LON: CREO) announced today that it has signed a multi-year collaboration agreement with Intuitive to make certain Creo surgical technologies compatible with the surgical robotic giant’s systems. The London exchange reacted by sending CREO shares up more than 4% to 100 pence apiece by the close of trading today. As of midday… […]
  • MedTrace Pharma moves forward on 15 O-water imaging tech
    MedTrace Pharma announced the first person scanned in its Rapid-Water-Flow Phase 3 clinical trial, further testing its tech to bring 15 O-water to imaging. The first subject scan took place at Aarhus University Hospital in Denmark, using 15 O-water produced, dosed and injected through MedTrace’s P3 automated delivery system. The clinical trial aims to evaluate… […]
  • Zimmer Biomet narrowly avoids shareholder rebuke on executive pay
    An unusually large share of Zimmer Biomet (NYSE:ZBH) investors voted against the orthopedics company’s pay packages for top executives at the annual shareholder meeting. About 54% of voting shareholders supported the pay packages of the company’s five top-paid executives at the May 13 meeting, according to results filed with the SEC yesterday. In 2021, nearly 93%… […]
  • BD, Mitsubishi Gas Chemical partner on better materials for plastic syringes
    BD (NYSE:BDX) announced that it partnered with Mitsubishi Gas Chemical Company on applying new technology to pre-fillable syringes. MGC develops the Oxycapt technology designed to integrate the best of plastic and glass for plastic syringes. BD and Tokyo-based MGC will work together to apply Oxycapt technology to the next generation of pre-fillable syringes (PFS) for advanced… […]
  • Ambu replaces CEO with new leadership
    Ambu today said it has hired board member Britt Meelby Jensen to replace CEO Juan Jose Gonzalez, effective tomorrow. “Since Juan Jose Gonzalez joined as CEO in 2019, Ambu has made good progress and achieved important milestones on the strategic transformation into the world’s largest single-use endoscopy company,” Ambu Chair Jørgen Jensen said in a… […]
  • AdvaMed joins Biden’s Joint Supply Chain Resilience Working Group
    AdvaMed executive Abby Pratt has joined the executive committee for the Biden administration’s Joint Supply Chain Resilience Working Group, the medtech industry association said today. The working group’s members from government and industry will assist with implementation of the National Strategy for a Resilient Public Health Supply Chain. Pratt oversees supply chain issues as SVP… […]
  • Toray develops new stretchable film for medical devices
    Toray Industries has a new stretchable film based on its proprietary polymer Reactis technology, with potential applications that include robotics and biological and industrial sensors. Tokyo-based Toray said it shipped samples to customers and plans research and development efforts to commercialize the new grade of film. “Recent years have increased the potential for developing stretchable… […]
  • Google Health hires FDA’s chief digital health officer
    Former FDA Chief Digital Health Officer of Global Strategy and Innovation Bakul Patel has started a new job with Google after 13 years with the regulatory agency. Patel became senior director, global digital health strategy and regulatory for Google Health earlier this month, he said on LinkedIn. Patel recounted highlights of his “incredible journey since… […]
  • Expect more heart and lung failure years after COVID, Abbott’s heart failure CMO says
    Two years into the COVID-19 pandemic, we know more than ever about the SARS-CoV-2 virus and how quickly it moves to ravage the human body. What remains to be seen is how the virus — and perhaps more importantly, our immune system’s response to it — will affect the health of people long after infection,… […]
  • FDA moves forward with Voluntary Improvement Program to bolster medical device quality
    Kathryn Burke, Emergo Group The U.S. Food and Drug Administration has issued new draft guidance to establish a full-blown voluntary program for improving quality-related processes in medical device manufacturing following promising results of a pilot program. The FDA guidance stems from a pilot undertaken by the agency along with the Medical Device Innovation Consortium (MDIC) in 2018.… […]

Primary Sidebar

DeviceTalks Weekly

May 20, 2022
DeviceTalks Boston Post-Game – Editors’ Top Moments, Insulet’s Eric Benjamin on future of Omnipod 5
See More >

MEDTECH 100 INDEX

Medtech 100 logo
Market Summary > Current Price
The MedTech 100 is a financial index calculated using the BIG100 companies covered in Medical Design and Outsourcing.
Need Medtech news in a minute?
We Deliver!

MassDevice Enewsletters get you caught up on all the mission critical news you need in med tech. Sign up today.

MDO ad

Footer

MASSDEVICE MEDICAL NETWORK

DeviceTalks
Drug Delivery Business News
Medical Design & Outsourcing
Medical Tubing + Extrusion
Drug Discovery & Development
Pharmaceutical Processing World
MedTech 100 Index
R&D World

Device Talks Webinars, Podcasts, & Discussions

Attend our Monthly Webinars
Listen to our Weekly Podcasts
Join our Device Talks Tuesdays Discussion

MASSDEVICE

Subscribe to MassDevice E-Newsletter
Advertise with us
About
Contact us
Add us on Facebook Follow us on Twitter Connect with us on LinkedIn Follow us on YouTube

Copyright © 2022 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Advertise | Privacy Policy | RSS