Health-care security company MedSec, investment research firm Muddy Waters Research, and University of Chicago medical professor Hemal Nayak filed a response on October 24 to St. Jude Medical’s lawsuit against them.
St. Jude’s lawsuit was filed on September 7, two weeks after the defendants published a report alleging security risks in pacemakers, implanted defibrillators, and other cardiac rhythm management (CRM) devices designed by St. Jude. The lawsuit stated that MedSec, Muddy Waters, and Nayak fabricated these claims for their own financial gain, citing the fact that Nayak sits on MedSec’s board of directors as evidence of a conflict of interest in the defendants’ research partnership.
Nayak wrote a letter on University letterhead that accompanied the report. The report was later edited to indicate that the letter does not "relate to nor reflect the views of the University of Chicago or the University of Chicago Medicine."
Muddy Waters’s business model involves investigating companies and then making investment decisions based on their discoveries. This can include short selling, or betting that the company’s value will decrease, after the publication of negative findings. Muddy Waters announced that it was shorting St. Jude when it released its report in August.
The defendants’ response includes an expert witness testimonial by Carl Livitt, a partner at security consulting company Bishop Fox. The testimonial, written after a team of researchers at Bishop Fox reproduced MedSec’s research on MedSec premises, reiterates the claim that St. Jude’s CRM devices pose significant security risks to patients
“In particular, the wireless protocol used for communication amongst St. Jude Medical cardiac devices has serious security vulnerabilities that make it possible to convert Merlin@home devices into weapons,” Livitt wrote. Merlin@home devices are implanted transmitters used to monitor other cardiac devices. According to the testimonial, it is possible to remotely disable Merlin@home devices and deliver shocks to patients from distances greater than 10 feet.
MedSec CEO Justine Bone addressed the defendants’ response on the company’s website, claiming that St. Jude’s poor track record in responding to problems with their devices made it necessary for MedSec, Muddy Waters, and Nayak to issue their report publicly. According to Bone, “St. Jude just recently announced a potentially lethal design defect [in another medical device] that may affect up to 350,000 of its users—two years after learning of it, apparently.” Bone adds that the defendants aimed to protect customers and limit public knowledge of vulnerable information by identifying “what our researchers had achieved but not how they did it.”
Lawyers representing the plaintiff did not respond to requests for comment, and Nayak declined to comment. Defendants and plaintiffs recently jointly asked the judge to delay a pre-trial conference in the case till late January.