ST. PAUL, Minn. (KMSP) - St. Jude Medical, based in St. Paul, Minn. is fighting back against a critical report that sent its stock tumbling in August. The medical-device company is suing the organizations, and some of the people, behind the report.
Report raises cybersecurity concerns
In August, Muddy Waters, a hedge-fund firm, issued a report claiming some of St. Jude’s implanted heart devices were vulnerable to cyberattacks. The report noted two critical vulnerabilities: “crash” attacks involving “remotely disabled cardiac devices,” and a “battery drain attack” that can cause batteries to run down.
On Aug. 25, Carson Block, founder of Muddy Waters, was interviewed on Bloomberg TV, and said his firm was short-selling St. Jude stock, and cited the report as showing the “keys are out there and they’re very low hanging fruit for attackers to exploit.” Block said he expected recalls lasting as long as two years.
While Muddy Waters was the organization that published the report, the study was conducted by MedSec, a cybersecurity research firm.
St. Jude stock fell about five percent as news spread; a Star Tribune headline read “St. Jude stock tumbles as report questions company’s cybersecurity.”
Researchers question initial report
University of Michigan researchers reported their own experiments led to “strikingly different conclusions,” but did not conclude the report was false, only that the study was “inconclusive.”
Mark Lanterman, a Twin Cities cybersecurity expert who is nationally recognized for his expertise, also tried to duplicate the results of the report. He could not duplicate the results.
“I don’t believe MedSec’s report,” Lanterman, who works at Computer Forensic Services, told Fox 9. “I think there are money factors at play here. I think essentially this security researcher has found a new way to make money by issuing a very damaging, very critical security report, and then shorting stock.”
St. Jude fires back
On Sept. 6, St. Jude sued Muddy Waters, MedSec, and some of the key people involved in conducting or spreading the report. The suit, filed in federal court, describes the report as an “insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down.”
In a statement to Fox 9, Michael Rosseau, the CEO of St. Jude, states in part: “We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again.”
Muddy Waters stands by report
Muddy Waters continues to stand by its initial report. A few days after releasing it, the firm described St. Jude’s initial responses to the report as 20 percent substance and 80 percent fluff, and wrote the company’s agenda was to “erode the credibility” of the report, while failing to “insert inarguable facts to the contrary.”
In a statement to Fox 9, Carson Block, founder of Muddy Waters, wrote in part: “it’s not that surprising to see a company that puts profits before patients try to silence its critics through a lawsuit. The device vulnerabilities are real, serious, and we are confident we will prevail in court. In fact, we have recently begun to receive information from whistleblowers that provide further detail on alarming lapses at St. Jude.”
MedSec did not respond to Fox 9’s request for comment.