St. Jude Sues Muddy Waters Over Heart Device Allegations

Updated on
  • Muddy Waters said cybersecurity flaws leave devices vulnerable
  • Firm took short position to profit if St. Jude shares fell

St. Jude Medical Inc. filed a lawsuit against short-seller Carson Block and his Muddy Waters Capital LLC investment firm saying that allegations of cybersecurity vulnerabilities in its heart devices are false.

In the suit filed in federal court Wednesday, St. Jude said that Muddy Waters’s claims that its devices can be easily hacked are part of a plan to profit from a drop in the value of the company’s stock. The suit also names MedSec LLC, a cybersecurity company that reported on potential vulnerabilities in St. Jude’s products, as a defendant, along with other principals in the two firms.

Muddy Waters issued a report Aug. 25 saying that pacemakers and defibrillators made by St. Jude were easy to penetrate and could be manipulated by outsiders, potentially putting tens of thousands of Americans who use them at risk. The devices should be recalled and sales halted while the flaws were fixed, the short-seller said then. Such a move would have almost halved the St. Jude’s revenue for about two years, and the St. Paul, Minnesota-based device maker has disputed the report’s findings.

“We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” St. Jude Chief Executive Officer Michael T. Rousseau said Wednesday in a statement.

St. Jude rose 0.7 percent to $79.44 at 11:06 a.m. in New York.

‘Right to Criticize’

Muddy Waters said it expects lawsuits as part of its business.

“It is not unusual for a company like this to try to silence its critics,” Muddy Waters said in a statement. “We are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients.”

Muddy Waters’ allegations were also questioned by a group of medical-device security researchers and a cardiologist from the University of Michigan who said their independent effort to examine the report’s claims found the St. Jude pacemaker was working as intended.

Both Muddy Waters and MedSec were poised to benefit if St. Jude’s stock fell. The medical device company is in the process of being acquired by Abbott Laboratories, and any disruption of the deal could have sent St. Jude’s shares plummeting. Abbott said it remains committed to the St. Jude acquisition and expects it to close before the end of the year.

Working with FDA

The suit names Block, who founded Muddy Waters, Justine Bone, the chief executive officer at MedSec, and Hemal M. Nayak, the University of Chicago electrophysiologist who helped with the research firm’s investigation. It alleges that they intentionally and maliciously tried to “manipulate the securities markets for their own financial windfall through an unethical and unlawful scheme premised upon falsehoods and misleading statements.”

Bone and Nayak didn’t immediately respond to e-mailed requests for comment.

St. Jude said it works closely with the U.S. Food and Drug Administration, which regulates medical devices, to ensure it’s meeting agency requirements. The company said cybersecurity risk assessment is part of its quality assurance system, and it has worked with a variety of groups, including the FDA and the Department of Homeland Security, to develop safeguards to prevent the types of attacks described in the report.

Material and videos provided by Muddy Waters and MedSec showed they didn’t fully understand what was happening with the company’s products, the device maker said in the suit. For example, a red warning light that was interpreted as a device “crash” indicated that wires weren’t connected to a human heart. Another effort that appeared to shut down a pacemaker actually put it into a “safe” mode, designed to avert tampering, according to the suit.

St. Jude faulted the short-sellers for failing to inform it of any vulnerabilities before going to the financial markets. Muddy Waters and MedSec have said that St. Jude’s history of ignoring flaws in its cybersecurity systems justified going to the public with its concerns.

The case is St. Jude Medical, Inc. v. Muddy Waters Consulting LLC et al, 0:16-cv-03002, U.S. District Court, District of Minnesota.