Class action complaint filed as St. Jude’s Medical responds to cybersecurity allegations

Following a report by Muddy Waters Capital LLC stating that St. Jude’s Medical (SJM) pacemakers, implantable cardioverter defibrillators (ICDs), cardiac resynchronization therapy (CRT) devices, and other implantable cardiac devices should be recalled due to the risk of cyberattack, attorneys for a patient with such a device filed a class-action complaint in the Central District of California alleging that the patient would not have undergone surgery to be implanted with the device if he had been aware of the “severe security vulnerabilities” alleged in the report. SJM responded to the Muddy Waters report in a press release, stating that the claims were misleading and unfounded.

Cyberattacks against devices

Muddy Waters claimed it has seen demonstrations of two types of cyberattacks against SJM implantable cardiac devices: (1) a “crash” attack causing the device to malfunction, for example, by pacing at a potentially dangerous rate, and (2) a battery drain attack that could be potentially harmful to device dependent users. Muddy Waters stated that it finds these vulnerabilities to be more worrying than other medical device hacks publicly discussed in the past, as they take less skill and can be directed randomly at any device within a roughly 50-foot radius.

SJM criticizes basis of report

In response, SJM said that the report’s claims of remote battery depletion are misleading, as the wireless communication of the devices is limited to approximately seven feet. “This brings into question the entire testing methodology that has been used as the basis for the [report.]” Additionally, a large-scale cyberattack like one described by Muddy Waters would require “hundreds of hours of continuous and sustained ‘pings’ within the [seven-foot] distance,” according to SJM. SJM also highlighted inconsistencies in the simulated attacks posed by Muddy Waters, noting one particular screen shot purportedly showing an impaired system when it actually shows a device that is functioning normally.

Complaint

In the California-based class action complaint, a patient with an implantable cardiac device alleges that he would not have had the device implanted if he had known about the vulnerabilities involved. The complaint lists 30 different devices that allegedly have serious security flaws, creating hundreds and thousands of claims from other patients against SJM for fraud and negligence.