St. Jude Medical has announced that it will form a cybersecurity advisory board, following allegations that some of its implantable cardiac devices, including those that rely on the Merlin@home transmitter, may be vulnerable to hacking. According to statement from the company’s chief medical officer earlier this week, the members of the board will work with St. Jude’s technology experts and external researchers “to help us maintain and enhance cybersecurity and patient safety.”
St. Jude’s announcement comes roughly two months after an investment group called Muddy Waters published a report claiming that certain of the company’s pacemakers, defibrillators and cardiac resynchronization devices were easy targets for hackers, especially those bundled with the Merlin@home remote transmitter system. Muddy Waters predicted that the devices would eventually need to be recalled, and speculated that any products liability litigation related to the controversy could ultimately cost St. Jude as much as $64 billion.
Since then, St. Jude has been named in at least one class action lawsuit filed by a defibrillator recipient. The U.S. Food & Drug Administration (FDA) also launched an investigation in conjunction with the Department of Homeland Security.
St. Jude vehemently denies the allegations and has filed a suit against Muddy Waters, claiming that the short-seller intentionally released a false report in order to gain financially from a drop in the company’s stock. Following the release of the Muddy Water’s report, St. Jude shares fell 5% from $81.88 a share to $77.82, though they did eventually rebound.
The last couple of months have been difficult for the medical device maker. Just last week, the company recalled a number of its Implantable Cardioverter Defibrillators (ICD) and Cardiac Resynchronization Therapy Defibrillators (CRT-D), following reports of premature battery depletion. Should the batteries in these devices fail, the ICDs and CRT-Ds will not be able to deliver cardiac therapy when needed. The issue has already been linked to two deaths, as well as dozens of reports of patients who fainted or experienced dizziness due to a cardiac device that did not provide needed shock therapy.
Ironically, the FDA has advised patients implanted with the recalled ICDs and CRT-Ds to register for the Merlin@home system in order to monitor their devices for premature battery failure.