Twin Cities-based St. Jude Medical sues Muddy Waters over security allegation

Minnesota medical device maker St. Jude Medical filed a federal defamation lawsuit Wednesday against short-selling firm Muddy Waters Capital LLC and others who last month drove down St. Jude stock with "strident" false claims about a lack of computer security in its lifesaving machines.

San Francisco-based Muddy Waters said Aug. 25 that it had taken out a short position on St. Jude stock — which meant it stood to profit if St. Jude stock fell in value — at the same time that it publicized allegations of sweeping cybersecurity vulnerabilities that could affect hundreds of thousands of devices.

Contrary to common industry practice, the hackers at Florida-based MedSec Holdings who said they discovered the alleged flaws in St. Jude devices first took their concerns to short-sellers to make a profit, instead of bringing their concerns to St. Jude or regulators directly.

"This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must by stopped and defendants must be held accountable so that such activity will not be incentivized and repeated in the future," said St. Jude's 33-page lawsuit, filed in U.S. District Court in Minnesota.

St. Jude, a Fortune 500 company based in Little Canada, is asking a federal judge to take away whatever profits Muddy Waters and its partners might have made from its short-selling, and pay triple damages for violating a federal law against making false or misleading statements about commercial goods and services. They are also suing under Minnesota's deceptive trade-practices law.

Muddy Waters quickly fired back in an e-mail, "It is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients."

The Food and Drug Administration has confirmed to the Star Tribune that it is investigating the alleged cybersecurity issues in concert with the Department of Homeland Security. The agency has said patients should not make changes to their devices without consulting with their doctors, including unplugging the at-home monitoring systems that Muddy Waters portrays as the linchpin to the wireless security flaws.

St. Jude said there are no such flaws. The lawsuit contains a point-by-point rebuttal of Muddy Waters' claims, including MedSec CEO Justine Bone's public statements that St. Jude has known about cybersecurity problems since 2013 but has not fixed them.

Public records on file with the FDA show that St. Jude has received regulators' permission to make numerous security upgrades to its devices in recent years.

"St. Jude released seven different security updates alone to Merlin@home since 2013," the lawsuit said, referring specifically to the device that is used to communicate wirelessly with implanted pacemakers and defibrillators in patients' homes.

St. Jude also repeated its past rebuttal to what Muddy Waters claimed was a security flaw shown in a video of a purported attack on a pacemaker, saying the alleged malfunction was actually a security feature that allows the device to work if under attack. The device maker also said Muddy Waters' printed report shows screen shots of the devices functioning as would be expected in a crude bench test, even though the images are presented in Muddy Waters' report as evidence of malfunctions.

"Defendants omit, among other things, that the tests were not representative of real-world conditions and did not account for the significant differences in tests performed on devices on a lab bench vs. conditions simulating an implanted [heart-rhythm] device," the lawsuit said.

Although researchers have been testing and demonstrating theoretical cybersecurity vulnerabilities with pacemakers and other medical devices since at least 2008, there has never been a confirmed report of a patient being harmed by a malicious cyberattack on an implanted device.

St. Jude Medical stock lost about 8 percent of its value when the allegations first came out on the Aug. 25, but it has recovered at least half of that lost value as stock analysts and med-tech experts have closely parsed the Muddy Waters report. On Wednesday, St. Jude stock closed at $79.18, up 28 cents for the day.

Listed as defendants in the lawsuit are Muddy Waters Consulting LLC, Muddy Waters Capital LLC, MedSec Holdings, Ltd., MedSec LLC, and three individuals who are principals in these firms, including University of Chicago doctor Dr. Hemal Nayak, who is on MedSec's board.

Neither Bone, the MedSec CEO, nor Nayak could be reached for comment Wednesday.

Nayak used part of the University of Chicago logo on a letter questioning St. Jude's cybersecurity that was included in the Muddy Waters report. But a spokeswoman for University of Chicago Medicine distanced the school from the report.

"The work Dr. Nayak conducted with MedSec/Muddy Waters was done on his own time and not in his capacity as a faculty member or physician at the University of Chicago Medical Center," spokeswoman Lorna Wong wrote in an e-mail Tuesday. "His comments and conclusions are based on his personal opinion and do not represent or reflect those of the University of Chicago or the University of Chicago Medical Center."

Muddy Waters describes itself as "an alternative investment firm and pioneer in on-the-ground, freely published investment research." It said that it separates itself from others in the industry by "being able to see through the opacity and hype that some managements create in order to expose business and accounting fraud as well as fundamental problems at companies across the globe."

Muddy Waters spokesman Zach Kouwe said by phone Wednesday that it was not unusual for the target of a short-seller to try to silence its critics. Kouwe added, "We've never paid anybody" in any instance when Muddy Waters has been sued in the past.

St. Jude CEO Michael Rousseau, who became chief executive in January, said in a statement that the company's lawsuit was critical to defend the interests of all of the company's stakeholders, including patients, doctors, responsible cybersecurity researchers, and St. Jude's investors.

"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again," Rousseau's statement Wednesday said.

St. Jude is in the process of being sold to Abbott Laboratories for $25 billion. In an e-mail statement last week, an Abbott spokeswoman said, "We continue to collaborate with St. Jude to advance the transaction."

Joe Carlson • 612-673-4779

Paul Walsh • 612-673-4482