Merlin@home Hackers

Are the implantable cardiac devices bundled with St. Jude Medical’s Merlin@home monitoring system vulnerable to hackers? A report published by the Muddy Waters investor group in August 2016 claimed that  that they were, predicting that St. Jude would ultimately recall and remediate hundreds of thousands of pacemakers, implantable defibrillators and cardiac resynchronization devices that rely on in-home monitoring. In January 2017, federal medical device regulators confirmed the danger, and St. Jude issued software updates to fix some of the issues, though it was still working to resolve the remaining vulnerabilities.

Attorneys Investigating Potential Merlin@home Lawsuits

If cybersecurity concerns involving Merlin@home turn out to be valid, recipients of St. Jude devices that rely on this system may be entitled to file suit for compensation. The medical device attorneys at Bernstein Liebhard LLP are now investigating this issue, and our legal staff is offering free case reviews to patients who may be affected by the alleged Merlin@home hacker risk. To learn more, please contact our office by calling (888) 994-5118.

BREAKING NEWS: FDA Review Confirms Merlin@home Hacking Vulnerabity

January 2017: A review conducted by the U.S. Food & Drug Administration (FDA) has confirmed that St. Jude Medical’s  Merlin@home transmitter is vulnerable to hacking. The identified vulnerabilities could allow an unauthorized user to access implanted cardiac devices by altering the Merlin@home Transmitter. The altered transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.

St. Jude has issued software updates to resolve some of the issues. The company is working with Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to address the remaining vulnerabilities. Read More

Muddy Waters Flags Alleged Merlin@home Cybersecurity Problems

Muddy Waters is an investment group founded by Carson Block. In August 2016, the group announced that it had taken a short position in St. Jude Medical, and asserted that the company could lose as much as 50% of its revenues over the next two years due to alleged cybersecurity problems that made hundreds of thousands of its pacemakers, implantable defibrillators and cardiac resynchronization devices vulnerable to hackers, especially those bundled with the Merlin@home monitoring system. Muddy Waters maintained that the purported issues would require the  devices to be recalled and remediated, which would leave St. Jude open to litigation. Awards resulting from any such litigation could total as much as $6.4 billion, the group said.

According to Muddy Waters’ 33-page report, St. Jude’s “device ecosystem” (which includes implantable cardiac devices, the network, programmers provided to physicians’ offices, and at-home transmitters) lacks basic protections like encryption and authentication.  Demonstrations conducted by a cybersecurity firm called MedSec indicated that the devices were susceptible to two types of hacks: a “crash” attack that causes the devices to malfunction and a “battery drain” attack that could be harmful to device-dependent users. “These  attacks take less skill,  can be directed randomly at any STJ Cardiac Device within a roughly 50 foot radius, theoretically can be executed on a very large scale, and most gallingly, are made possible by the hundreds of thousands of substandard home monitoring devices STJ has distributed,” the report states.

St. Jude maintains that the Muddy Waters report is “false and misleading.”   Read More

St. Jude Announces New Cybersecurity Advisory Panel

St. Jude Medical has announced that it will form a cybersecurity advisory board, following allegations that some of its implantable cardiac devices, including those that rely on the Merlin@home transmitter, may be vulnerable to hacking. Read More

FDA Issues Cybersecurity Guidance for Networked Medical Devices

Federal medical regulators have released final guidance to address the postmarket management of cybersecurity for networked medical devices, such as  St. Jude implantable cardiac devices that rely on the Merlin@home system. The final guidance is voluntary, and  recommends that manufacturers monitor, identify and address cybersecurity vulnerabilities as part of the postmarket strategy for their products.  Read More

Legal Help for Recipients of St. Jude Merlin@home Implantable Cardiac Devices

Bernstein Liebhard LLP is offering legal assistance to recipients of Merlin@home implantable cardiac devices. If you are concerned that your Merlin@home monitor might be vulnerable to hackers, please contact our office today at (888) 994-5118.

  1. Muddy Waters (August 2016)
  2. Jude Medical (August 2016) “St. Jude Medical Refutes Muddy Waters Device Security Allegations and Reinforces Security of Devices and Commitment to Patient Safety”
  3. Star Tribune (August 2016) “FDA joins investigation into security of St. Jude medical devices”
Last Modified: January 9, 2017

Get the latest news and litigation updates about this case by following us on Facebook. Click the "Like" button below.


Follow Us on Google+ on Facebook on LinkedIn on Twitter on YouTube on Pinterest

Skip to content