The Merlin@home transmitter system was designed to communicate with certain implantable cardiac devices marketed by St. Jude Medical, including implantable defibrillators, pacemakers, and cardiac resynchronization devices. The transmitter is part of a remote monitoring system that allows patient data to be transmitted to a doctor’s office. In 2016, the investor group Muddy Waters announced it had taken a short position in St. Jude stock, and issued a report asseting that the Merlin@home system was especially vulnerable to computer hacks. The FDA confirmed the cybersecurity risk the following January.
When a patient receives a St. Jude cardiac implant, it is often bundled with the Merlin@home system. The transmitter works in conjunction with the company’s data management system, the Merlin.net Patient Care Network, to remotely transmit patient data to their physician’s office. According to St. Jude, remote monitoring increases the quality of patient care, improves clinical efficiency and substantially reduces health care costs. Clinical studies also suggest that remote monitoring reduces time to detect clinical events, reduces hospitalizations, and reduces all-cause mortality over three years.
The components that make up the Merlin@home monitoring system include:
In August2016, the investor group Muddy Waters announced that it had taken a short position in St. Jude stock, meaning that it had made a financial bet that the price of the company’s shares would decline. The group’s decision to do so was based on alleged cybersecurity issues that it said made St. Jude’s implantable cardiac devices vulnerable to hacks. According to Muddy Waters, the most vulnerable component appeared to be the Merlin@home transmitter. The purported vulnerabilities were discovered by a cybersecurity research firm called MedSec, which conducted demonstrations for the investor group.
In a 33-page report, Muddy Waters claimed that the problems would ultimately result in the recall and remediation of St. Jude’s implantable cardiac devices, and alleged that over 50% of the company’s revenue could disappear over the next two years as a result.
St. Jude quickly and strongly denied all of the claims put forth by Muddy Waters, calling them “false and misleading.” Nevertheless, the U.S. Food & Drug Administration and the Department of Homeland Security confirmed that they had launched an investigation of the issues raised by group’s report. Read More
The FDA review ultimately cybersecurity vulnerabilities in the Merlin@home system. St. Jude released software updates to resolve some of the issues. The company is working with Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to address the remaining vulnerabilities. Read More
Get the latest news and litigation updates about this case by following us on Facebook. Click the "Like" button below.