St. Jude Says Short-Seller Profited on Fears

     (CN) — Heart-device maker St. Jude Medical claims a financial firm intentionally and “despicably” spread false information about the cybersecurity of its pacemakers to profit when its share price plummeted on patients’ fears.
     In a federal lawsuit filed Wednesday in Minnesota, St. Jude Medical accuses Muddy Waters Capital of intentionally spreading false information concerning St. Judge’s implantable cardiac devices to manipulate St. Jude’s share price for its own financial gain.
     Not to be confused with the children’s research hospital of the same name, St. Jude Medical makes cardiovascular devices for various heart diseases and neurostimulator devices for the management of chronic pain and movement disorders. It reported net sales of $1.45 billion for the first quarter of 2016, court records show.
     On Aug. 25 of this year, short-sale firm Muddy Waters Capital released a 33-page report claiming that hundreds of thousands of St. Jude’s home-monitored cardiac devices have “severe security vulnerabilities.”
     St. Jude says researchers at defendant MedSec Holdings, a cybersecurity firm, purportedly found a security flaw in St. Jude’s heart implants which connect wirelessly to at-home monitoring systems. Theoretically, this supposed flaw could leave patients with a St. Jude pacemaker or defibrillator vulnerable to a hacker’s cyberattack.
     But instead of bringing its findings to St. Jude or the Food and Drug Administration, MedSec took its findings “directly to Muddy Waters for the purpose of monetizing their claimed work with a hoped-for payday in the stock market,” the Twin Cities-based St. Jude says.
     “Defendants’ wrongful conduct conclusively demonstrates a total disregard for the patients whose lives depend on cardiac rhythm management devices and their conduct is indefensible,” St. Jude’s complaint states.
     Muddy Waters allegedly shorted St. Jude’s stock price the same day — meaning that it stood to profit if St. Jude’s stock price fell — while it publicized MedSec’s findings.
     Muddy Waters research director Carson Block appeared on Bloomberg TV and told viewers that St. Jude’s devices’ “communication protocol has been compromised,” making them “low hanging fruit for attackers to exploit,” according to the lawsuit. He said that a cyberattack could potentially drain the devices’ battery and endanger patients’ lives.
     By way of its remote transmitters, Block allegedly said St. Jude “literally distributed” the “keys to the castle,” meaning access to patients’ device controls, and said that the information was “readily available on Ebay” to anyone interested in making such an attack.
     St. Jude’s share price fell approximately 5 percent on this wave of negative publicity, from $81.88 per share to $77.82 per share on Aug. 25. It has since regained some of this lost value, with stocks trading at $79.35 on Thursday.
     “Defendants specifically intended to drive down the price of St. Jude’s stock, which they had previously sold short,” St. Jude says. “This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must be stopped and defendants must be held accountable so that such activity will not be incentivized and repeated in the future.”
     St. Jude categorically denies MedSec’s findings publicized in Muddy Water’s report and the FDA supported the company’s position, recommending that patients not unplug their remote monitoring based on security concerns.
     Muddy Waters posted a video purporting to show a St. Jude device “crash” under a cyber attack, but University of Michigan researchers debunked it 24 hours later, according to the complaint.
     St. Jude claims Muddy Waters and MedSec were only concerned with making themselves richer, which is why they used “market-bombshell scare tactics” rather than taking their concerns to legitimate parties, “with the very unfortunate (and despicable) concomitant result of fueling significant concern and fear in patients and their families.”
     Indeed, the St. Jude was immediately hit with a patient class action a day after Muddy Water’s report made the news.
     Muddy Waters defended itself an emailed statement.
     “It is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients,” spokesman Zach Kouwe said.
     In addition to Muddy Waters Capital, the lawsuit also names as defendants Muddy Waters Consulting LLC, MedSec Holdings Ltd., MedSec LLC and three individuals who are principals in these firms, including Block and University of Chicago physician Dr. Hemal Nayak, who is on MedSec’s board.
     St. Jude seeks the disgorgement of Muddy Water’s short-sale profits and punitive damages for defamation, violation of the Deceptive Trade Practices Act and conspiracy.
     It is represented by Michael Ciresi with Ciresi Conlin in Minneapolis and Daniel Ring with Mayer Brown in Chicago.

%d bloggers like this: