St. Jude Medical stock went into a brief free-fall Thursday morning following publication of a short seller’s research report that lambasted the company for lax cybersecurity practices and predicted nearly half the med-tech company’s revenue may evaporate for two years.
Muddy Waters Capital, a combative financial research group, revealed an aggressive bet against the Little Canada-based maker of heart devices because of what it called “worrying” problems with the cybersecurity of St. Jude’s medical devices. The group said St. Jude pacemakers and other heart-rhythm devices are vulnerable to attacks that can disable the implantable lifesaving devices.
“We find STJ cardiac devices’ vulnerabilities orders of magnitude more worrying than the medical device hacks that have been publicly discussed in the past,” the 34-page Muddy Waters report says, referring to St. Jude Medical by its stock ticker symbol.
Muddy Waters called on St. Jude to recall and fix the devices, which it said could take two years. The firm noted that pacemakers, implantable defibrillators, and cardiac resynchronization therapy devices made up about 46 percent of St. Jude’s 2015 revenue.
St. Jude officials, who are in the processing of selling the company to Abbott Laboratories for $25 billion, immediately fired back.
“The allegations are absolutely untrue,” Phil Ebeling, St. Jude chief technology officer, said via an e-mailed statement. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@Home and on all our devices.”
Merlin@Home is a monitoring device intended to be used at home to communicate and remotely send information from implanted heart devices.
Muddy Waters said that even “low-level” hackers could figure out how to exploit security vulnerabilities with the system and impersonate a Merlin@Home device to communicate with heart devices, and potentially St. Jude Medical’s internal computer network.
Cybersecurity experts and physicians said they needed more information before taking any action. But the information in the report was specific enough that they’re concerned, and are seeking answers.
“There should be a sense of urgency here,” said Dr. Robert Hauser, emeritus senior consulting cardiologist at the Minneapolis Heart Institute. “Patients are going to want to know, what does this mean to me? At this point in time, I couldn’t make an intelligent response to that ... (Medical societies) and the FDA should get together promptly. They need to aggressively investigate these claims and make recommendations to physicians.”
A spokesperson with the Food and Drug Administration declined to comment on the St. Jude situation, but said the agency has been consistent in requiring manufacturers to stay vigilant about cybersecurity risks and correct vulnerabilities.
Ken Hoyme, a medical-device cybersecurity expert who formerly led development of a remote patient monitoring system for Boston Scientific Corp., said nothing in the Muddy Waters report appeared infeasible. But he also noted Muddy Waters has a large financial interest in having people believe the worst-case scenario.
“There’s some potential risks there, but they have certainly painted a picture that maximizes their benefit if the stock goes down as far as possible,” said Hoyme, a researcher at Adventium Labs in Minneapolis.
Along with the report about the machines’ vulnerabilities, Muddy Waters revealed that it has taken out contracts that pay if St. Jude’s stock value goes down, known as “shorting” the stock. The extent of the firm’s short position in St. Jude wasn’t clear.
Muddy Waters Research and its founder Carson Block are known for taking brash public positions on business issues and shorting the stocks of targeted companies. The firm’s website proclaims, “We speak truth to power, even when the message is unpopular or threatening to the status quo.”
Several years ago, a $6 billion company called Sino-Forest Corp. declined in value, and eventually filed for bankruptcy protection, after Block publicly accused it of fraudulent accounting and shorted the stock.
St. Jude is the largest medical device company based in Minnesota, with $5.5 billion in sales last year mainly from implantable medical devices and surgical tools. The Fortune 500 company posted an $880 million profit that year, down 12 percent from the year before.
St. Jude was quick to respond Thursday, as its stock lost more than 8 percent of its value within 90 minutes of the news breaking. The stock regained 3 percent of its value in the following 90 minutes, and closed the day down 5 percent, at $77.82.
“Protection of confidential patient and consumer information is a high priority for us. We will remain vigilant to potential security vulnerabilities of our products and data in light of ever-increasing technological sophistication,” the company said.
Although Ebeling said the allegations were untrue, the company didn’t offer a point-by-point response to Muddy Waters’ report, including the statement that Merlin@Home lacked a “strong authentication” system and encryption that could prevent unauthorized access to the machines.
The alleged hacks identified by Muddy Waters create the risk that a hacker could change how an implanted cardiac device paces the heart or drain the battery so the device doesn’t work.
St. Jude’s said people who see cybersecurity vulnerabilities should e-mail the company at email@example.com and a cybersecurity expert will get in touch with them within 10 business days.