Medical device maker sues over bug report behind short-selling scheme

A maker of cardiac devices is suing two firms it accuses of falsely claiming its products could be hacked to further a short-selling scheme.

St Jude, a Minnesota-based maker of implantable cardiac rhythm management devices, on Wednesday filed a suit against security firm MedSec and investment firm Muddy Waters over claims by the pair in August that its devices were vulnerable to hacking.

Muddy Waters, a well-known short seller, had taken a position against St Jude and intended to use MedSec’s vulnerability report to drive St Jude’s price down. Muddy Waters had agreed to pay MedSec licensing fees and fund its research.

As noted by Financial Times last month, this was Muddy Waters’s first attempt at using alleged security flaws to move a target’s stock price. Previously it’s alleged fraud to apply pressure to publicly traded companies.

MedSec’s decision to present the flaws to Muddy Waters before St Jude was also unusual in the field of security research in that it broke with responsible disclosure norms. If these were followed, St Judge would have had an opportunity to verify the alleged flaws and provide a fix if necessary.

St Jude has refuted MedSec’s claims over two alleged flaws. These include that the battery in St Jude’s implantable cardiac devices could be drained from 50-feet away and that the devices could be forced to crash.

The medical device firm is seeking relief in the form of disgorgements of any profits made by the defendants as well as damages and legals costs, according the complaint filed with the District Court for the district of Minnesota on Wednesday.

St Jude accused the two companies of making false statements, false advertising, conspiracy and manipulating public markets.

"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” Michael T. Rousseau, president and chief executive officer at St. Jude Medical said in a statement.

Some security experts have questioned whether it would have been more appropriate for MedSec to have reported the alleged flaws to the US Food and Drug Administration (FDA), the body responsible for regulating electronic medical devices in the US.

Muddy Waters claimed it would provide the report to the FDA as part of its disclosure in August and was expecting, based on MedSec’s findings, that it was likely St Jude would embark on a voluntary recall of affected products.

A Muddy Waters spokesman told Reuters that “it is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients.”

Tags hackingmedicalsecurity engineeringMedSeccardiac devicesSt JudeMuddy Waters

Show Comments