St. Jude Faces New Safety Charges From Muddy Waters Capital

  • Short-seller releases more videos claiming heart device risks
  • St. Jude denied earlier charges; filed lawsuit against firm

St. Jude Medical Inc. is facing new allegations from short-seller Muddy Waters LLC that its pacemakers and defibrillators, life-saving devices used by thousands of people worldwide, can be easily hacked and turned against the patients relying on them. 

Muddy Waters, which has already disclosed a short position in St. Jude that generates profit when the stock price falls, is intensifying its criticism of the medical technology company, which is in the middle of being acquired by Abbott Laboratories. The investment firm run by Carson Block released a technical video that walks viewers through the heart devices’ vulnerabilities and shows how they can be exploited by computer hackers, a step it previously declined to take.

The video is designed to show that St. Jude’s Merlin equipment can be reverse-engineered, allowing the programmer commands to be manipulated so that a patient may get an unnecessary cardiac shock or the device may be turned off. St. Jude previously denied that its Merlin@home devices can transmit programmer commands or change the devices’ therapeutic settings. St. Jude has sued Muddy Waters and the MedSec Holdings security firm that conducted the research, saying the allegations are false and were intended to send down the company’s stock price.

St. Jude said it stands behind the security and safety of its devices and criticized Muddy Waters for “the irresponsible release of information that is intended for financial gain." The company earlier this week announced the creation of a cybersecurity medical advisory board and said it will continue to work with researchers to understand cyber risks and potential vulnerabilities with its devices.

“Muddy Waters and MedSec have once again made public an unverified video that purports to raise safety issues about the cybersecurity of St. Jude Medical devices,” the company said in a statement. “This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry.”

    Before it's here, it's on the Bloomberg Terminal.