Hired experts support claims St. Jude heart devices can be hacked

St. Jude Logo

By Jim Finkle

(Reuters) – Short-selling firm Muddy Waters said in a legal brief filed on Monday that outside cyber security experts it hired have validated its claim that St. Jude Medical Inc cardiac implants are vulnerable to potentially life-threatening cyber attacks.

Boutique cyber security firm Bishop Fox disclosed its findings in a 53-page report that was attached to a legal brief filed on Monday in U.S. district court in Minnesota on behalf of the short-sellers, who hired the firm to perform the work as they defend themselves in a lawsuit filed by St. Jude.

A representative for St. Jude was not immediately available for comment.

St. Jude filed the suit on Sept. 7 against Muddy Waters, cyber research firm MedSec Holdings and individuals affiliated with those companies. The suit accused the group of intentionally disseminating false information about St. Jude heart devices to manipulate its stock price, which fell 5 percent on the day they revealed their claims.

The defendants said in a filing released on Monday that the lawsuit is without merit, reiterating their claim that St. Jude Medical’s heart devices have “significant security vulnerabilities.”

The report from Bishop Fox said the firm was able to validate those claims.

“I found that Muddy Waters’ and MedSec’s statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate,” Bishop Fox Partner Carl Livit said in an introduction to the report.

The report said that the wireless communications protocol used in St. Jude cardiac devices is vulnerable to hacking, making it possible for hackers to convert the company’s Merlin@home patient monitoring devices into “weapons” that can cause cardiac implants to stop providing care and deliver shocks to patients.

Bishop Fox tested the attacks from 10 feet (3 meters) away, but said that might be extended to 45 feet (13.7 meters) with an antenna, or 100 feet (30.5 meters) with a transmitting device known as a software defined radio.

(Reporting by Jim Finkle; Editing by Will Dunham)

St. Jude warns of heart device battery issue linked to two deaths

The ticker and trading information for St. Jude Medical is displayed where the stock is traded on the floor of the New York Stock Exchange (NYSE) in New York City, U.S

By Jim Finkle

(Reuters) – St. Jude Medical Inc warned on Tuesday that some of its implanted heart devices were at risk of premature battery depletion, a condition it said had been linked to two deaths.

News of the issue surfaced late on Monday when short-selling firm Muddy Waters tweeted a copy of a physician advisory on the matter from St. Jude, which agreed in April to sell itself for $25 billion to Abbott Laboratories.

The letter said problems with the lithium batteries that power the devices were rare and could be identified by patients using tools for monitoring battery levels at home.

Patients should seek immediate medical attention as soon as they get a low-battery alert from the monitoring devices, the U.S. Food and Drug Administration said, adding that St. Jude Medical had initiated a recall of the defibrillators.

St. Jude’s shares were down 2.4 percent at $79.35 in premarket trading on Tuesday, while Abbott’s were down 1.7 percent at $42.75. A spokesman for the drugmaker said it still expected to close the St. Jude deal by the end of the year.

The advisory comes as St. Jude is defending itself against unrelated allegations that its heart devices are riddled with defects that make them vulnerable to fatal cyber hacks.

Those claims were made by Muddy Waters and research firm MedSec Holdings. St. Jude has denied the allegations and sued both firms.

The FDA said on Tuesday its investigation into the cyber security vulnerabilities of the devices, including the Merlin@Home monitoring system, was continuing.

“Despite the allegations, at this time, the FDA strongly recommends that the Merlin@Home device be used to monitor the battery for these affected devices because the benefits of continued patient monitoring and the life-saving therapy these devices provide greatly outweighs any potential cybersecurity vulnerabilities,” the FDA said in a statement.

SMALL RISK

St. Jude said that out of nearly 400,000 devices manufactured through May last year, it had identified 841 failed implanted cardioverter defibrillators with lithium clusters, which can form after a device delivers electricity to the heart.

Lithium clusters sometimes cause battery power to deplete quickly, rendering devices unable to deliver doses of electricity when needed, St. Jude’s vice president of quality control, Jeff Fecho, said in a physician advisory.

“There have been two deaths that have been associated with the loss of defibrillation therapy as a result of premature battery depletion,” Fecho wrote in the letter.

Cowen & Co analysts said in a note that while such letters were never a positive, they were common in the industry and there was little risk to St. Jude’s business.

St. Jude advised physicians to replace devices with damaged batteries immediately, but cautioned against swapping out devices that were operating normally because of the potential for complications.

“While this risk is very small, we have provided doctors with information so that they can discuss the most appropriate course of action for each individual patient,” St. Jude’s chief medical officer, Mark Carlson, said in a statement.

St. Jude advised patients to check its website for details on which devices were affected. (http://www.sjm.com/batteryadvisory).

The site tells patients how they can monitor battery activity, look for vibrating alerts when batteries are low and connect to the Merlin.net remote monitoring service.

Battery-depletion advisories have issued in the past by Boston Scientific Corp and Medtronic Plc .

(Reporting by Jim Finkle in Boston and Ankur Banerjee and Natalie Grover in Bengaluru; Editing by Paul Tait and Ted Kerr)