Abbott releases new round of cyber updates for St. Jude pacemakers

The ticker and trading information for St. Jude Medical is displayed where the stock is traded on the floor of the New York Stock Exchange (NYSE) in New York City, U.S., April 28, 2016. REUTERS/Brendan McDermid/File Photo

By Michael Erman

NEW YORK (Reuters) – Abbott Laboratories said on Tuesday it would issue updates to reduce the risk of its St. Jude heart implants being hacked and to warn patients that the devices’ batteries may run down earlier than expected.

It was the second round of updates for the heart implants that Abbott has announced since buying medical device maker St. Jude Medical earlier this year.

The U.S. government launched a probe last year of claims the devices were vulnerable to potentially life-threatening hacks that could cause implanted devices to pace at potentially dangerous rates or cause them to fail by draining their batteries.

The company also identified a separate problem with lithium batteries in its heart devices last year. St. Jude recalled some of its 400,000 implanted heart devices last October due to risk of premature battery depletion, which was linked to two deaths in Europe.

The U.S. Food and Drug Administration said then that hospitals should return unused devices and warned patients with an already implanted device to seek immediate medical attention if they get a low-battery alert.

“Abbott is resolving all old St. Jude Medical issues,” Abbott spokeswoman Candace Steele Flippin said.

The new update will provide doctors with an earlier warning when the batteries in Abbott’s implantable cardioverter defibrillators are at risk of early depletion.

Abbott said it would also update the software embedded in pacemakers to reduce the risk of hacking. The company said there have been no reports of unauthorized access to any patient’s implanted device and that compromising the security of the devices would require a complex set of circumstances.

The FDA said it approved the update to ensure that it addresses the cyber security vulnerabilities, and reduces the risk of patient harm.

The FDA and the Department of Homeland Security confirmed in January that St. Jude devices were vulnerable to hacking. But they said they knew of no cyber attacks on patients with the company’s cardiac implants.

The FDA said the benefits of continuing treatment outweighed cyber risks, and DHS said only an attacker “with high skill” could exploit the vulnerability.

They launched the probe in August after short-selling firm Muddy Waters and cyber security firm MedSec Holdings said the devices were riddled with security flaws that made them vulnerable to potentially life-threatening hacks.

When Muddy Waters went public with the claims, it also disclosed it was shorting shares of St. Jude Medical, which was preparing to sell itself to Abbott. The short-selling firm said it believed that disclosure of the vulnerabilities could cause the $25 billion deal to fall apart, but Abbot completed the deal in January.

(Reporting by Michael Erman; Editing by Dan Grebler and Richard Chang)