Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

St. Jude Sues MedSec Over Device Security Allegations

St. Jude Medical has filed a lawsuit against MedSec and Muddy Waters, claiming that the companies made financially motivated false statements regarding the security of its medical devices.

St. Jude Medical has filed a lawsuit against MedSec and Muddy Waters, claiming that the companies made financially motivated false statements regarding the security of its medical devices.

On August 25, medical device security startup MedSec and investment research firm Muddy Waters published a report saying that St. Jude’s products are plagued by serious vulnerabilities that allow attackers, among other things, to crash implantable cardiac devices and drain their battery at a fast rate.

St. Jude was not informed about the research before the report was published. MedSec argued that it took this path in an effort to force the vendor to improve the security of its products. The security firm teamed up with Muddy Waters, which used the report to short St. Jude stock.

MedSec’s report does not contain many technical details, making it more difficult to verify the company’s claims. However, researchers from the University of Michigan have tried to reproduce the results and determined that MedSec may have reached inaccurate conclusions.

St. Jude denied the accusations and called the report “false and misleading.” The vendor says it has been working with third-party experts, researchers and regulators to ensure that its products have efficient security mechanisms.

Following the release of the report, St. Jude stock plunged and a defibrillator patient filed a class-action lawsuit against the company based on MedSec’s findings. Now, St. Jude is fighting back with a lawsuit filed against MedSec, Muddy Waters and three individuals who are principals at these companies.

St. Jude has accused the defendants of false statements, false advertising, conspiracy and manipulation of the public markets.

“The lawsuit filed today alleges that Muddy Waters, MedSec and the other defendants intentionally disseminated false and misleading information in order to lower the value of St. Jude Medical’s stock and to wrongfully profit from a drop in share value through a short-selling scheme,” St. Jude stated.

The company’s lawsuit cites the findings of University of Michigan researchers who determined that at least some of MedSec’s findings do not have a security impact.

“We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” said Michael T. Rousseau, president and CEO of St. Jude Medical. “We believe this lawsuit is critical to the entire medical device ecosystem — from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme.”

St. Jude stock has been slowly recovering following the disclosure, closing at $79.18 on Wednesday. The company’s stock had fallen under $60 in the first months of 2016, until late April when it soared to nearly $80 after Abbott Laboratories announced its intention to acquire St. Jude for $25 billion.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...