MedSec sued over St. Jude pacemaker vulnerability report

If St. Jude is to be believed, it was all about the money.
Written by Charlie Osborne, Contributing Writer

St. Jude Medical is taking allegations of serious security vulnerabilities in the firm's medical devices to heart with a lawsuit designed to "set the record straight."

The medical device maker claimed on Wednesday that MedSec and Muddy Waters falsely issued warnings about insecure medical devices in order to intentionally drop the share value of St. Jude and profit from a short-selling scheme, in which investors sell stock with the belief that values will soon drop -- allowing them to buy them back at a lower price and make a profit.

MedSec, alongside investment research body Muddy Waters, hit the headlines in August after claiming St. Jude devices, including pacemakers and defibrillators, were vulnerable to cyberattacks due to severe security flaws -- which, in turn, could put patients' lives at risk.

MedSec's report claimed that attacks could drain batteries or force embedded heart devices to pace at high rates.

St. Jude alleges (.PDF) that the two companies, alongside three principle members of the firms, used "false and misleading tactics" to scare patients, drop share prices and make cash on the side as a result.

Rather than disclose the security vulnerabilities to the manufacturer directly, the medical device maker says that MedSec turned to Muddy Waters in order to make some money on St. Jude stock after prices plummeted due to the report.

Muddy Waters shorted the stock after MedSec approached the investment firm with a deal. MedSec was hired as a consultant -- with fees to match -- and would also take a cut of the investment, in return for information on its research. Muddy Waters then issued a public estimation that St. Jude stock would be affected for at least "two years" due to "product safety issues" which "offer unnecessary health risks."

St. Jude refuted the claims, protesting that the researchers used a "flawed test methodology on outdated software" and demonstrated a "lack of understanding of medical device technology."

"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again," said Michael Rousseau, president and CEO at St. Jude Medical.

"We believe this lawsuit is critical to the entire medical device ecosystem -- from our patients who have our life-saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme," Rousseau added.

The complaint alleges that MedSec and Muddy Waters showed a "total disregard for the patients whose lives depend on their cardiac management devices" and leans heavily on conclusions drawn by University of Michigan researchers after the report was published. The university team said the evidence presented in the report "does not support their conclusions," and the conditions mentioned in the report were able to be replicated without any security concerns.

A spokesman for MedSec and Muddy Waters told ZDNet:

"It is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients."

The lawsuit has been filed in the United States District Court for the District of Minnesota.

Cybersecurity reads which belong on every bookshelf

Editorial standards