Updated with information from the FDA
St. Jude Medical (NYSE:STJ) said today that it sued the short seller and the hacking shop behind a report of alleged cybersecurity vulnerabilities that’s shaved 5% from its share price since August 25.
Little Canada, Minn.-based St. Jude said the lawsuit was filed against Muddy Waters Consulting and its founder, well-known short-seller Carson Block, plus hacking shop MedSec, its CEO Justine Bone and advisor Dr. Hemal Nayak. The lawsuit accuses the defendants of making false statements, false advertising, conspiracy and “the related manipulation of the public markets in connection with St. Jude Medical’s implantable cardiac management devices.”
Muddy Waters aimed to disrupt the pending, $25 billion acquisition of St. Jude by Abbott (NYSE:ABT); in addition to his bet that STJ share prices will fall, Block is long on ABT shares. The Muddy Waters report, brought to the firm by MedSec, alleged that St. Jude’s CRM devices pose a cybersecurity risk due to vulnerabilities in the Merlin@home monitor.
The Little Canada, Minn.-based company immediately denied the charges and fired off a detailed rebuttal the next day; in response, Muddy Waters yesterday claimed that St. Jude instead proved the short-seller’s assertions. St. Jude said that a later salvo from Muddy Waters, a video purporting to show a Merlin@home device succumbing to a hack, actually shows that the device functioned just as designed. And researchers at the University of Michigan, seeking to reproduce the faults alleged in the Muddy Waters report, concluded that the report has “major flaws” and that the so-called Merlin@home system crash “are the same set of errors that display if the device isn’t properly plugged in.”
The FDA won’t be sitting on it’s hands, saying it plans a “thorough investigation” of allegations made by Muddy Watters over the devices. The agency said it began its initial investigation in late August.
“Regardless of the way a vulnerability comes to our attention, we take those allegations very, very seriously. We are putting all of our focus on making sure that we have an understanding of what these allegations are and do a thorough investigation of the claims,” FDA official, Suzanne Schwartz said in a telephone interview, according to Reuters.
The agency took issue with the publicized claims of cybersecurity issues, as it issues draft guidelines in January urging researchers to work directly with manufacturers when they uncover alleged bugs.
St. Jude said today that the lawsuit aims to hold the defendants accountable for the “false and misleading tactics” and to set the record straight about the security of its devices.
A Muddy Waters spokesman wrote via email that, “It is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients.”
“We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” St. Jude president & CEO Michael Rousseau said in prepared remarks. “We believe this lawsuit is critical to the entire medical device ecosystem – from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme.”
“Defendants undertook their carefully orchestrated scheme with the express intent to interfere with efficient public markets by intentionally disseminating false information in order to depress the value of St. Jude’s stock and profit from such depression in value by implementing a short-selling scheme. The sole purpose of this short-selling scheme was to enable defendants to secure a quick and illegal financial windfall,” according to the 33-page complaint filed today in the U.S. District Court for Minnesota. “Defendants purportedly claim they also wanted to inform users and physicians of risks associated with the use of St. Jude’s CRM Devices, but this claim is belied by the fact that Muddy Waters had no experience in medical device security and purportedly relied on MedSec and its medical advisor and board member, Dr. Nayak, both of whom procured a financial interest in the short-selling scheme regarding St. Jude’s stock value. The actions of each of the defendants, individually and collectively, blatantly disregard ethical standard practices in the cybersecurity community and FDA guidance, which call for a legitimately concerned party to 1st convey any security-related concerns about medical devices to the company itself and/or any relevant government agency or public health authority.”
“We recognize that the cybersecurity landscape is dynamic, which is why we partner with researchers, agencies, consultants and others to continually strengthen our security measures currently in place,” chief technology officer Phil Ebeling said in a prepared statement today. “We also have processes in place to encourage anyone with information about the security of our technology to share it with us so that we can enhance our technology for the benefit of patients.”
“Our top priority is to reassure patients, caregivers and physicians who use our life-saving devices that we are committed to the security of our products and to ensure patients and their doctors maintain ongoing access to the proven clinical benefits of remote monitoring,” added chief medical officer Dr. Mark Carlson. “We decided to take this action because of the irresponsible manner in which these groups have acted.”
Material from Reuters was used in this report.