St. Jude devices vulnerable to cyberattack say Muddy Waters, MedSec


After uncovering cybersecurity vulnerabilities with St. Jude Medical cardiac devices, security research firm MedSec shared its findings first with investment firm Muddy Waters Capital as part of a deal that, so far, appears to be helping the companies profit off of the device maker’s adversity.

Muddy Waters, after receiving the information, published a report Thursday in which it sold short on St. Jude, according to Bloomberg. The more Muddy Waters investors profit on the news, the more money MedSec earns, the article notes. Shares of St. Jude Medical plummeted close to 4 percent by the end of the day Thursday.


The report rails on St. Jude for troubling cybersecurity vulnerabilities that are easily exploitable. In a statement explaining MedSec’s actions posted to the company’s website, CEO Justine Bone says that St. Jude has profited for years on devices with “little to no built-in security.

“We believe St. Jude Medical has known about security problems in their products since at least 2013, but it is apparent from the lack of security protections or mechanisms in their product line that very little action has been taken,” Bone said.

Furthermore, Bone told Bloomberg that MedSec believed St. Jude “would sweep this under the rug” or become embroiled in “a hush litigation situation” in which patients were oblivious to the details of the poor security. MedSec and Muddy Waters plan to inform the U.S. Food and Drug Administration of the vulnerabilities, according to the article.

In a letter posted to MedSec’s website, Hemal Nayak, an electrophysiologist and assistant professor of medicine at the University of Chicago Medicine, tells his patients who use implanted St. Jude cardiac electronic devices to discontinue home monitoring. Nayak also serves on MedSec’s board of directors.

Reacting to the news, Josh Corman, director of the Atlantic Council’s Cyber Statecraft Initiative, told Politico Pro’s Morning eHealth that the situation, while raising awareness, also could “create an adversarial relationship between cybersecurity firms and medical device companies.

St. Jude Chief Technology Officer Phil Ebeling called the claims in the report “absolutely untrue,” according to CNN.