St. Jude files defamation suit over pacemaker hack charge

Muddy Waters LLC says St. Jude Medical Inc.’s defamation lawsuit over the short-seller’s reports questioning the safety of some pacemakers is an attack on free speech.

The Carson Block-run fund, and others named in the suit, said research backs their claim that hackers can seize control of home remote transmitters to change the settings on pacemakers or to deliver a shock that induces a heart attack. The opinions were well-founded and of significant public interest, they said.

New Saint Jude Medical Technical Center Building

In its lawsuit, St. Jude claims that Muddy Waters lied in order to gain a “financial windfall” from a slump in the medical-device maker’s share price. In August, the fund released information that St. Jude devices could be hacked. Then, in recent days, the short-seller intensified its criticism of the medical technology company, which is in the middle of being acquired by Abbott Laboratories. The investment firm run by Carson Block released a technical video that walks viewers through the heart devices’ vulnerabilities and shows how they can be exploited by computer hackers, a step it previously declined to take.

"This case provides fundamental issues of First Amendment freedoms," Muddy Waters said in a court filing Monday. It said St. Jude "seeks to punish and prevent vital discussions about significant risks to the lives and health of ordinary Americans.”

Also See: Hackers, short seller hit St. Jude Medical on vulnerabilities

St. Jude countered that it sued because that was "the best course of action to make sure those looking to profit by trying to frighten patients and caregivers are held accountable for their actions," The device maker wants to "set the record straight about the security of our devices," Candace Steele Flippin, a spokeswoman for the company, said in a statement Monday.

Muddy Waters says the report it released in August "speaks for itself." It determined pacemakers and defibrillators made by St. Jude were easy to penetrate and could be manipulated by outsiders, potentially putting tens of thousands of Americans who use them at risk.

The U.S. Food and Drug Administration is aware of the report, but as a policy, the agency generally doesn’t comment on pending litigation, agency spokeswoman Angela Stark said. Based on information available to the agency, she said the FDA recommends that patients continue to use their devices as directed by their doctor because the benefits far outweigh potential cybersecurity vulnerabilities.

Bishop Fox was hired by Muddy Waters to test the St. Jude devices. The Tempe, Ariz.-based computer security service concluded that hackers could disable the equipment or deliver shocks at distances of 10 feet (3 meters). The devices could be compromised using an antenna from a distance of 45 feet or from as far as 100 feet with a configured radio communication system, the company found.

U.S. companies haven’t paid enough attention to the vulnerabilities of medical devices to potential hacks, Muddy Waters said. The devices should be recalled and sales halted while the flaws are fixed, it said.

For reprint and licensing requests for this article, click here.