Defibrillator security saga will go to court
Medical device maker St Jude has filed suit against a security company that reported security flaws in its products as part of a short-sale financial scheme.
The medical supplier says that it has sued both security firm MedSec and researcher Muddy Waters, as well as three other individuals it says falsely reported serious vulnerabilities in its pacemakers and defibrillators.
They then made money by short-selling the stock when the news broke.
The charges include false advertising, false statements, conspiracy, and market manipulation.
“We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” St Jude president and CEO Michael Rousseau said in announcing the suit.
“We believe this lawsuit is critical to the entire medical device ecosystem – from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme.”
Muddy Waters and MedSec made headlines last month when they reported discovering vulnerabilities in St Jude pacemaker and defibrillator devices that, if exploited, could have allegedly posed threats to the health of patients.
Rather than disclose the flaws to the manufacturer, the researchers instead went to an investment house and turned a tidy profit by short-selling St Jude stock after its price dropped on the release of the news.
Shortly after the report surfaced, however, St Jude disputed the vulnerability reports and alleged the entire scheme had been made up to manipulate its stock price.
“Our top priority is to reassure patients, caregivers and physicians who use our life-saving devices that we are committed to the security of our products, and to ensure patients and their doctors maintain ongoing access to the proven clinical benefits of remote monitoring,” said St Jude vice president and chief medical officer Mark Carlson.
“We decided to take this action because of the irresponsible manner in which these groups have acted.”
Experts at the University of Michigan also poured doubt on one claim by MedSec that St Jude’s equipment is remotely brickable. ®