Inspectors with the U.S. Food and Drug Administration on Wednesday slapped St. Jude Medical with a warning letter accusing the medical device maker of failing to properly investigate problems with the batteries in its implantable defibrillators and the cybersecurity of its at-home monitoring equipment.
The inspectors said that company officials systematically underestimated the true risks facing heart-device patients, even after one person died in 2014. Further, seven patients were implanted with defibrillators after St. Jude recalled more than 400,000 of the devices. On cybersecurity, the letter said the company failed to prove that it made sure a recent software patch would fix potential vulnerabilities before rolling it out to the public.
"We have reviewed your response and conclude that it is not adequate," said the FDA warning letter to St. Jude, using language contained in many such letters. "You should take prompt action to correct the violations addressed in this letter. Failure to promptly correct these violations may result in regulatory action being initiated by the FDA without further notice."
A spokesman for Abbott Laboratories said in an e-mailed statement that patient safety comes first, and that Abbott has a strong history of product safety and quality. "We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA's warning letter, and are committed to fully addressing FDA's concerns," spokesman Jonathon Hamilton wrote.
The statement didn't specifically address the allegations in the warning letter.
In the past, St. Jude has staunchly defended the safety of its products and even filed a defamation lawsuit against its cybersecurity critics.
St. Jude Medical was a Little Canada-based company when most of the alleged failures to correct the problems took place. The company was acquired in January by Chicago-based Abbott Laboratories in a $25 billion deal. Wednesday's warning letter is addressed to Michael Rousseau, president of Abbott's cardiovascular device division and former CEO of St. Jude.
The letter ties together two controversies that, until Wednesday, had been separate headaches for St. Jude.
St. Jude issued a recall notice affecting about 400,000 implantable devices with lithium batteries last October, following patient deaths in 2014 and 2016 and dozens of hospitalizations. The recall notice said a rare but serious problem involving the lithium chemistry of its batteries could cause a device to short circuit and go dead without triggering the usual battery-indicator warning. The problem affected older versions of its Fortify, Unify and Assura defibrillators.
The Star Tribune reported last November that the company continued to ship the devices to hospitals for more than a year after changing the lithium battery design to fix the flaw that could cause the short circuiting. Company executives said at the time that St. Jude moved as quickly as possible with the information they had at the time, and promptly told doctors about the issue once the decision to recall was made.
But on Wednesday the FDA said St. Jude officials had for years systematically underestimated the true risk to patients by basing their evaluations only on "confirmed" cases of battery failures, and disregarding cases in which battery shorts may have been involved. Even when the outside company that supplies St. Jude's defibrillator batteries provided evidence for what was causing the problem, St. Jude officials concluded the cause of the failures was unconfirmed.
"By basing your firm's risk evaluation on 'confirmed' cases and not considering the potential for 'unconfirmed' cases to have been shorts, your firm underestimated the occurrence of the hazardous situation," the warning letter says, noting that a 2014 patient death wasn't presented to medical advisers assessing the risk at the time.
St. Jude continued to ship the devices with the flawed batteries until October 2016. The warning says 10 implantable defibrillators were shipped after the recall was issued, and seven more were implanted in patients after the recall was announced.
On cybersecurity, St. Jude officials have said they thoroughly investigated allegations from Muddy Waters Capital, an investment research firm that publicly accused the company last summer of skipping basic cybersecurity protections in its Merlin@home monitoring devices. Muddy Waters Capital revealed it had shorted the device maker's stock, positioning itself to profit if St. Jude shares lost value. St. Jude eventually filed a defamation lawsuit against the firm, a security research firm, among others.
Wednesday's warning letter said St. Jude didn't follow its own internal policies for investigating such problems, including failing to confirm that a root-cause investigation was carried out.
The company responded to the inspectors' findings in writing, but the FDA did not accept the explanations. The company's written responses were not available Wednesday evening.
FDA inspectors said the devices were considered "adulterated" under the law because of the alleged violations. Abbott has 15 days to respond to the FDA with specific steps to correct the problems.