St. Jude, short-seller trade blame in cybersecurity case

Someone is putting profits before patients when it comes to cybersecurity and St. Jude Medical devices — but it will be up to a judge and jury to decide who.

California short-selling firm Muddy Waters Capital, which profits by publicizing alleged corporate misdeeds and then betting the stock will fall, said in a court filing this week that St. Jude has prioritized profits over patients by failing to fix or disclose purported cybersecurity flaws that could jeopardize a $25 billion acquisition of the Minnesota-based company by Abbott Laboratories.

St. Jude counters that it is Muddy Waters putting profits above patient safety — not only by publicly describing how to attack St. Jude devices remotely, but by spreading what St. Jude calls false information about device security in the first place. St. Jude said it stands behind its cybersecurity protections and its continuous efforts to improve them.

Both sides are now airing their respective arguments in federal court. St. Jude sued Muddy Waters Capital for defamation on Sept. 7, and named private medical device security firm MedSec Holdings and Chicago heart doctor Dr. Hemal Nayak as defendants in a "civil conspiracy." The lawsuit was also filed against Muddy Waters founder Carson Block and MedSec CEO Justine Bone.

Muddy Waters said it has a First Amendment right to publicize truthful and significant risks to Americans posed by St. Jude's devices. An answer it filed Monday to St. Jude's lawsuit included a report from independent security consulting firm Bishop Fox backing up Muddy Waters' claims, though other cybersecurity researchers and financial analysts have supported St. Jude and said the concerns are overblown at best.

In the meantime, St. Jude Medical shareholders are scheduled to vote Wednesday afternoon on whether to sell the longtime Minnesota company to Chicago-based Abbott Laboratories by year's end. The St. Jude shareholders meeting is scheduled for 2 p.m. at the Minnesota History Center.

Abbott has shown a keen interest in expanding sales in its medical device division using St. Jude's line of advanced heart devices. Thus far Abbott executives have appeared unfazed about buying St. Jude while the company is under siege by short-sellers.

FDA still investigating

The FDA and the Department of Homeland Security are still investigating Muddy Waters' cybersecurity allegations, and have not recommended patients do anything different beyond consulting with their doctors if they have concerns.

In its answer Monday, Florida-based MedSec confirmed that it alerted only Muddy Waters, and not St. Jude, to the alleged flaws in the implantable devices. The only doctor that MedSec consulted before going public with the information was Nayak, who is a member of MedSec's board and could profit financially from Muddy Waters' actions.

The alleged cybersecurity flaws identified by MedSec would allow a hacker to disable or cause life-threatening malfunctions in St. Jude pacemakers and defibrillators using wireless home-monitoring equipment easily available on eBay. Hundreds of thousands of the heart devices are implanted in patients today.

"In Muddy Waters' and MedSec's opinions, these vulnerabilities exist today because, for years, St. Jude Medical has put profits over patients," a narrator said in Muddy Waters' latest internet video, published this week at profitsoverpatients.com.

Although Muddy Waters has published several videos and two reports on St. Jude's alleged flaws, Bone said in a blog post Monday that MedSec and Muddy Waters have thus far withheld the key information that could provide a road map to malicious hackers. Bone wrote that it was a complex decision about how much information to publish:

"If the researcher publishes everything about the vendor's security flaws, right down to the attack code it used, then the vendor's customers will be immediately at risk. But if the researchers are intimidated into silence, the customers are still at risk," her blog post on Monday said.

Duty to inform company?

St. Jude's lawsuit said MedSec, Muddy Waters and especially Nayak had a duty to inform St. Jude about their concerns before going public. It said Nayak recommended his patients unplug their Merlin@home wireless patient monitoring devices, which are described as a key part of the alleged vulnerabilities in St. Jude's device network.

"Muddy Waters, MedSec, Carson Block, Justine Bone and Hemal Nayak are concerned only about profiting from the short-sale plays and not patient safety," St. Jude's lawsuit said. "Defendants collectively are willing to risk patient safety by recommending disconnecting remote monitoring equipment to advance their collective interest in earning substantial profits in the stock market."

The concern over remote monitoring grew even more serious on Oct. 11, when St. Jude published a medical advisory saying some of its 350,000 cardioverter defibrillators and resynchronization therapy defibrillators implanted in patients are vulnerable to sudden battery failure from a mechanical problem called "lithium cluster formation" that would cause the devices to shut down with little to no warning.

One of the key recommendations in the advisory was for St. Jude defibrillator patients to enroll in remote monitoring and use the Merlin@home device to actively monitor for battery life issues.

Joe Carlson • 612-673-4779