Security Experts:

Connect with us

Hi, what are you looking for?



St. Jude Sues MedSec Over Device Security Allegations

St. Jude Medical has filed a lawsuit against MedSec and Muddy Waters, claiming that the companies made financially motivated false statements regarding the security of its medical devices.

St. Jude Medical has filed a lawsuit against MedSec and Muddy Waters, claiming that the companies made financially motivated false statements regarding the security of its medical devices.

On August 25, medical device security startup MedSec and investment research firm Muddy Waters published a report saying that St. Jude’s products are plagued by serious vulnerabilities that allow attackers, among other things, to crash implantable cardiac devices and drain their battery at a fast rate.

St. Jude was not informed about the research before the report was published. MedSec argued that it took this path in an effort to force the vendor to improve the security of its products. The security firm teamed up with Muddy Waters, which used the report to short St. Jude stock.

MedSec’s report does not contain many technical details, making it more difficult to verify the company’s claims. However, researchers from the University of Michigan have tried to reproduce the results and determined that MedSec may have reached inaccurate conclusions.

St. Jude denied the accusations and called the report “false and misleading.” The vendor says it has been working with third-party experts, researchers and regulators to ensure that its products have efficient security mechanisms.

Following the release of the report, St. Jude stock plunged and a defibrillator patient filed a class-action lawsuit against the company based on MedSec’s findings. Now, St. Jude is fighting back with a lawsuit filed against MedSec, Muddy Waters and three individuals who are principals at these companies.

St. Jude has accused the defendants of false statements, false advertising, conspiracy and manipulation of the public markets.

“The lawsuit filed today alleges that Muddy Waters, MedSec and the other defendants intentionally disseminated false and misleading information in order to lower the value of St. Jude Medical’s stock and to wrongfully profit from a drop in share value through a short-selling scheme,” St. Jude stated.

The company’s lawsuit cites the findings of University of Michigan researchers who determined that at least some of MedSec’s findings do not have a security impact.

“We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” said Michael T. Rousseau, president and CEO of St. Jude Medical. “We believe this lawsuit is critical to the entire medical device ecosystem — from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme.”

St. Jude stock has been slowly recovering following the disclosure, closing at $79.18 on Wednesday. The company’s stock had fallen under $60 in the first months of 2016, until late April when it soared to nearly $80 after Abbott Laboratories announced its intention to acquire St. Jude for $25 billion.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...

Application Security

Malware hunters at Microsoft are calling attention to a nasty macOS malware family that has evolved quickly from a basic information-gathering trojan to a...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Application Security

Cybersecurity powerhouse Palo Alto Networks on Thursday announced plans to spend $195 million in cash to acquire Israeli startup Cider Security, a deal that...