St Jude Medical was forced to temporarily halt trading of its stock last Friday, after an investment group asserted that the company’s implantable cardiac devices were an easy target for hackers and should be recalled. While St. Jude’s shares recovered following the brief lull in trading, the company still faces serious questions about the safety of its medical devices.
The chaos began last Thursday, after the investment group, Muddy Waters, LLC, announced that it had taken a short position in St. Jude. A 33-page report issued by the group maintained that the devices should be recalled. Once news of the Muddy Waters report hit the airwaves, shares in St. Jude fell nearly 8%. While the stock recovered somewhat, it ended the day down nearly 5%.
The stock slipped an additional 2.6% on Friday before trading was halted. Trading resumed at $77.00 per share just 45 minutes later. The stock would eventually rise to $78.01 by the end of the day, up 19 cents from Thursday’s close.
According to Bloomberg.com, the Muddy Waters report centered on St. Jude’s pacemakers, implantable defibrillators and cardiac-resynchronization devices. These devices have been implanted in tens of thousands of patents to ensure a healthy heart rhythm, and they rely on an in-home monitoring system called Merlin@home to transmit patient data to a doctor’s office. However, Muddy Waters claims that Merlin@home has almost no security systems in place. While the company’s top three competitors use proprietary software for their monitoring systems, the report faulted St. Jude for utilizing Linux software systems with chips that can be purchased off-the-shelf. Muddy Waters contends that demonstrations and tests have shown that this set-up could allow a hacker to send commands to a St. Jude device that would drain the battery or interfere with proper functioning.
In deciding to short St. Jude’s stock, Muddy Waters asserted that there is “little doubt that St. Jude Medical is about to enter a period of protracted litigation over these products. Should these trials reach verdicts, we expect the courts will hold that St. Jude Medical has been grossly negligent in its product design.”
Muddy Waters maintains that a recall of St. Jude’s implantable cardiac devices could result in roughly a 50% decrease in the company’s revenue for the next two years. Medical device lawsuits stemming from such a debacle could force the company to pay out an estimated $6.4 billion in awards.
According to Bloomberg, the controversy could also derail St. Jude’s purchase of Abbott Laboratories, resulting in an even bigger hit to the company’s stock.
St. Jude has called the Muddy Waters report “false and misleading.”
“St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” the company said in a statement issued on Friday.
Despite St. Jude’s denials, the U.S. Food & Drug Administration (FDA) has confirmed to the Minneapolis Star-Tribune that it is working with Homeland Security Department to investigate the issue.
“At the present time, patients should continue to use their devices as instructed and not change any implanted device,” the agency said on Friday.
In its report, Muddy Waters did acknowledge that it was not aware of any imminent threat to patients. No malicious cyberattacks, other than those initiated for the controlled experiments and demonstrations cited in the group’s report, have been documented.