Medical device maker sues over bug report behind short-selling scheme

A maker of cardiac devices is suing two firms it accuses of falsely claiming its products could be hacked to further a short-selling scheme.

St Jude, a Minnesota-based maker of implantable cardiac rhythm management devices, on Wednesday filed a suit against security firm MedSec and investment firm Muddy Waters over claims by the pair in August that its devices were vulnerable to hacking.

Muddy Waters, a well-known short seller, had taken a position against St Jude and intended to use MedSec’s vulnerability report to drive St Jude’s price down. Muddy Waters had agreed to pay MedSec licensing fees and fund its research.

As noted by Financial Times last month, this was Muddy Waters’s first attempt at using alleged security flaws to move a target’s stock price. Previously it’s alleged fraud to apply pressure to publicly traded companies.

MedSec’s decision to present the flaws to Muddy Waters before St Jude was also unusual in the field of security research in that it broke with responsible disclosure norms. If these were followed, St Judge would have had an opportunity to verify the alleged flaws and provide a fix if necessary.

St Jude has refuted MedSec’s claims over two alleged flaws. These include that the battery in St Jude’s implantable cardiac devices could be drained from 50-feet away and that the devices could be forced to crash.

The medical device firm is seeking relief in the form of disgorgements of any profits made by the defendants as well as damages and legals costs, according the complaint filed with the District Court for the district of Minnesota on Wednesday.

St Jude accused the two companies of making false statements, false advertising, conspiracy and manipulating public markets.

"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” Michael T. Rousseau, president and chief executive officer at St. Jude Medical said in a statement.

Some security experts have questioned whether it would have been more appropriate for MedSec to have reported the alleged flaws to the US Food and Drug Administration (FDA), the body responsible for regulating electronic medical devices in the US.

Muddy Waters claimed it would provide the report to the FDA as part of its disclosure in August and was expecting, based on MedSec’s findings, that it was likely St Jude would embark on a voluntary recall of affected products.

A Muddy Waters spokesman told Reuters that “it is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients.”

Join the CSO newsletter!

Error: Please check your email address.

Tags medicalsecurity engineeringMedSecSt Judecardiac devicesMuddy Watershacking

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place