Minnesota medical device maker St. Jude Medical filed a federal defamation lawsuit Wednesday against short-selling firm Muddy Waters Capital LLC and others who last month drove down St. Jude stock with "strident" false claims about a lack of computer security in its lifesaving machines.
San Francisco-based Muddy Waters said Aug. 25 that it had taken out a short position on St. Jude stock — which meant it stood to profit if St. Jude stock fell in value — at the same time that it publicized allegations of sweeping cybersecurity vulnerabilities that could affect hundreds of thousands of devices.
Contrary to common industry practice, the hackers at Florida-based MedSec Holdings who said they discovered the alleged flaws in St. Jude devices first took their concerns to short-sellers to make a profit, instead of bringing their concerns to St. Jude or regulators directly.
"This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must by stopped and defendants must be held accountable so that such activity will not be incentivized and repeated in the future," said St. Jude's 33-page lawsuit, filed in U.S. District Court in Minnesota.
St. Jude, a Fortune 500 company based in Little Canada, is asking a federal judge to take away whatever profits Muddy Waters and its partners might have made from its short-selling, and pay triple damages for violating a federal law against making false or misleading statements about commercial goods and services. They are also suing under Minnesota's deceptive trade-practices law.
Muddy Waters quickly fired back in an e-mail, "It is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients."
The Food and Drug Administration has confirmed to the Star Tribune that it is investigating the alleged cybersecurity issues in concert with the Department of Homeland Security. The agency has said patients should not make changes to their devices without consulting with their doctors, including unplugging the at-home monitoring systems that Muddy Waters portrays as the linchpin to the wireless security flaws.
St. Jude said there are no such flaws. The lawsuit contains a point-by-point rebuttal of Muddy Waters' claims, including MedSec CEO Justine Bone's public statements that St. Jude has known about cybersecurity problems since 2013 but has not fixed them.