Security Experts:

St. Jude Sues MedSec Over Device Security Allegations

St. Jude Medical has filed a lawsuit against MedSec and Muddy Waters, claiming that the companies made financially motivated false statements regarding the security of its medical devices.

On August 25, medical device security startup MedSec and investment research firm Muddy Waters published a report saying that St. Jude’s products are plagued by serious vulnerabilities that allow attackers, among other things, to crash implantable cardiac devices and drain their battery at a fast rate.

St. Jude was not informed about the research before the report was published. MedSec argued that it took this path in an effort to force the vendor to improve the security of its products. The security firm teamed up with Muddy Waters, which used the report to short St. Jude stock.

MedSec’s report does not contain many technical details, making it more difficult to verify the company’s claims. However, researchers from the University of Michigan have tried to reproduce the results and determined that MedSec may have reached inaccurate conclusions.

St. Jude denied the accusations and called the report “false and misleading.” The vendor says it has been working with third-party experts, researchers and regulators to ensure that its products have efficient security mechanisms.

Following the release of the report, St. Jude stock plunged and a defibrillator patient filed a class-action lawsuit against the company based on MedSec’s findings. Now, St. Jude is fighting back with a lawsuit filed against MedSec, Muddy Waters and three individuals who are principals at these companies.

St. Jude has accused the defendants of false statements, false advertising, conspiracy and manipulation of the public markets.

“The lawsuit filed today alleges that Muddy Waters, MedSec and the other defendants intentionally disseminated false and misleading information in order to lower the value of St. Jude Medical’s stock and to wrongfully profit from a drop in share value through a short-selling scheme,” St. Jude stated.

The company’s lawsuit cites the findings of University of Michigan researchers who determined that at least some of MedSec’s findings do not have a security impact.

“We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” said Michael T. Rousseau, president and CEO of St. Jude Medical. “We believe this lawsuit is critical to the entire medical device ecosystem — from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme.”

St. Jude stock has been slowly recovering following the disclosure, closing at $79.18 on Wednesday. The company’s stock had fallen under $60 in the first months of 2016, until late April when it soared to nearly $80 after Abbott Laboratories announced its intention to acquire St. Jude for $25 billion.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.