As cyberattacks against hospitals made international headlines Friday, a short-selling financial firm called Muddy Waters accused medical device maker Abbott Laboratories of trying to use a legal settlement to muzzle critics who discover computer flaws in Abbott devices.
Abbott said the allegation was not true, and that the financially motivated firm was engaging in a “campaign of misinformation” that included broadcasting an out-of-context snippet from a confidential legal document on Twitter. Muddy Waters has not shown signs of backing down.
“MW hereby rejects your noxious settlement proposal that attempts to gag us and [other researchers] from assisting FDA, DHS,” Muddy Waters wrote on Twitter on Thursday afternoon, referencing the Food and Drug Administration and the Department of Homeland Security. That Twitter statement came one minute after Muddy Waters tweeted out a photo of a nondisclosure provision in Abbott’s confidential settlement proposal.
The paragraph proposed Muddy Waters agree not to disclose any information about Abbott devices’ cybersecurity flaws to the FDA or Homeland Security unless subpoenaed. And even if Muddy Waters did get a subpoena, the firm would still have to tell Abbott and then wait 14 days before responding to the government demand.
Abbott confirmed that the excerpt was genuine, but said Muddy Waters intentionally omitted the very next sentence, which states that Abbott officials “do not seek to interfere with any inquiry from any government agency.”
Neither side was willing to provide the full settlement proposal, nor any other details from it.
Abbott didn’t respond on Twitter to Muddy Waters’ allegations, but rather used Friday to tweet out pre-Mother’s Day messages about moms and childbirth.
(Abbott makes the popular baby formula Similac, in addition to advanced heart devices and many other health care products.)
The conflict between Abbott and Muddy Waters started late last summer, when Muddy Waters announced that it had learned of serious cybersecurity vulnerabilities in the wireless communication features in hundreds of thousands of implantable pacemakers and defibrillators made by Minnesota-based St. Jude Medical. Muddy Waters revealed at the same time that it had taken out short-sale contracts that allowed it to profit from a decline in St. Jude stock.
St. Jude eventually sued Muddy Waters and other parties who took part in the disclosure, saying their profit-motivated statements unfairly defamed the company’s products and that the firm failed to follow the normal practice of informing a technology maker before publicly airing its cyber-vulnerabilities.
Chicago-based Abbott inherited the litigation in January when it acquired St. Jude in a deal valued at roughly $25 billion.
Since then, the FDA has confirmed that vulnerabilities in St. Jude devices could allow a computer hacker to remotely access a patient’s implanted device and cause rapid battery depletion or inappropriate shocks, though no such malicious attack has been documented. Last month, the FDA published a warning letter to Abbott alleging St. Jude’s cybersecurity failures rendered some heart devices “adulterated” under federal law. A security patch has already been rolled out.
On Friday, Abbott spokesman Scott Stoffel said Muddy Waters has failed to follow the “appropriate, well-established cybersecurity disclosure practices from the outset” of the controversy last year.
“We were simply proposing that they agree to follow those practices in the future,” Stoffel said, explaining the rationale behind the nondisclosure language in the settlement proposal that Muddy Waters tweeted out.
Stoffel also said Muddy Waters “intentionally omitted a portion of the communication which states that we do not seek to interfere with any inquiry from any government agency; rather, we simply requested advance notice, consistent with recognized standards for the responsible disclosure of potential cybersecurity issues.”
Same day as cyberattacks
Muddy Waters rejected that explanation and noted it was “particularly disturbing” to hear on a day when cyberattacks against hospitals in Europe and the United Kingdom were making major news around the world.
“Forbidding a whistleblower from talking to the government, unless the government asks for information, is wrong. It’s also wrong to require a whistleblower responding to a government request to first tell the company, which is what St. Jude and Abbott want,” a Muddy Waters spokesman wrote in an e-mail Friday.
The case is pending in U.S. District Court in Minneapolis, and a settlement conference in judge’s chambers is scheduled for June 28 if the case can’t be resolved before then.