SJM

Attorney/Client Privileged / Developed at Request of Counsel

1. St. Jude stock shorted on heart device hacking fears; shares drop

   Aug 25, 2016 | Reuters

   By Jim Finkle and Dan Burns
   
   
   The stock of pacemaker manufacturer St. Jude Medical Inc (STJ.N) fell sharply on Thursday after short-selling firm Muddy Waters said it had placed a bet that the shares would fall, claiming its implanted heart devices were vulnerable to cyber attacks.
2. Hacking Report on St. Jude Pacemakers Was Flawed, Researchers Say

   Aug 31, 2016 | Fortune

   By Aaron Pressman
   
   
   University of Michigan experts could not confirm flaws alleged last week.
3. Outsideresearch team questions St. Jude hacking claims

   Aug 30, 2016 | Star Tribune

   By Joe Carlson
   
   
   Outside analysis doesn't support worst-case claims, but more tests underway.
4. St. Jude Medical Sues Short Seller Over Device Allegations

   Sep 7, 2016 | WSJ

   By TESS STYNES
   
   
   The medical-device maker says Muddy Waters intentionally made false claims to profit from a decline in its stock
5. Hedge Fund and Cybersecurity Firm Team Up to Short-Sell Device Maker

   Sep 8, 2016 | NYT

   By MATTHEW GOLDSTEIN, ALEXANDRA STEVENSON and LESLIE PICKER
   
   
   The cybersecurity firm behind a short-seller’s campaign against St. Jude Medical, a major manufacturer of pacemakers, has a curious operating history.
6. Twin Cities-based St. Jude Medical sues Muddy Waters over security allegation

   Sep 7, 2016 | Star Tribune

   By Joe Carlson and Paul Walsh
   
   
   It alleges a short-seller and partners drove down stock with false claims.
7. St. Jude Medical sues short-sellers; FDA launches probe

   Sep 9, 2016 | Modern Healthcare

   By Maria Castellucci
   
   
   Medical-device manufacturer St. Jude Medical has filed a lawsuit this week against short-sellers that claimed that its pacemakers and other devices are vulnerable to hacks.
8. St. Jude Medical Brings Legal Action Against Muddy Waters and MedSec

   Sep 7, 2016 | Press Release

   St. Jude Medical Turns to the Court to Hold Muddy Waters and MedSec Accountable for their Financially Motivated False Statements and Scare Tactics Aimed at Patients with Heart Conditions
9. St. Jude Medical Continues to Refute Allegations made by Muddy Waters Capital and MedSec

   Aug 30, 2016 | Press Release

   August 29 Video Shows a St. Jude Medical Device Security Feature, Not a Flaw
10. St. Jude Medical Refutes Muddy Waters Device Security Allegations and Reinforces Security of Devices and Commitment to Patient Safety

    Aug 26, 2016 | Press Release

    Analysis of St. Jude Medical Security Protocol Confirms Advanced Device Security Systems to Protect Patients are in Place

Full Text of Stories Below

Attorney/Client Privileged / Developed at Request of Counsel

1. St. Jude stock shorted on heart device hacking fears; shares drop

   Aug 25, 2016 | Reuters

   By Jim Finkle and Dan Burns

   n" style="transform: translate3d(0px, 0px, 0px);">The stock of pacemaker manufacturer St. Jude Medical Inc (STJ.N) fell sharply on Thursday after short-selling firm Muddy Waters said it had placed a bet that the shares would fall, claiming its implanted heart devices were vulnerable to cyber attacks.

   St. Jude, which agreed in April to sell itself for $25 billion to Abbott Laboratories (ABT.N), said the allegations were false. St Jude shares closed down 4.96 percent, the biggest one-day fall in 7 months and at a 7.4 percent discount to Abbott's takeover offer.

   Muddy Waters head Carson Block said the firm's position was motivated by research from a cyber security firm, MedSec Holdings Inc, which has a financial arrangement with Muddy Waters. MedSec asserted that St. Jude's heart devices were vulnerable to cyber attack and were a risk to patients.

   A MedSec report warned of two primary hacks on St. Jude pacemakers and defribillators: One that could cause implanted devices to pace at potentially dangerous rates and one that drains their batteries.

   MedSec approached Muddy Waters about three months ago and the two struck a deal under which Block agreed to hire MedSec as a consultant, pay it a licensing fee for research and a percentage of any profits from the investment, Block told Reuters.

   Reuters was not able to confirm the allegations by Block and MedSec, a firm founded 18 months ago focusing on cyber vulnerabilities in the healthcare industry. The allegations were detailed in a report published on the Muddy Waters website.

   The Department of Homeland Security and the Food and Drug Administration, which work together to investigate and remediate life-threatening cyber vulnerabilities in medical equipment, declined comment on St. Jude.

   Josh Corman, co-founder of I am the Cavalry, a group that has worked to establish standard procedures for privately disclosing vulnerabilities to manufacturers, said he was surprised St. Jude had been singled out. He said he was aware of other non-public research showing other device makers have cyber vulnerabilities.

   "They may have a basis for singling out this one company, but it feels arbitrary and capricious. It doesn't ring true," said Corman.

   UNPRECEDENTED APPROACH

   Cyber security experts said that it was unprecedented for a cyber security researcher to go public with research about cyber bugs as part of a short-selling strategy.

   Researchers typically disclose bugs by approaching affected firms, working through intermediaries who communicate on their behalf, or presenting them at peer-reviewed cyber conferences.

   MedSec Chief Executive Justine Bone told Reuters that her firm decided to not adhere to those practices.

   "We have expenses we incur. This is a business relationship," she told Reuters. "But our goal here is to bring this to the attention of the public."

   MedSec's report said "low-level" hackers could exploit security vulnerabilities in devices that St. Jude uses to enable doctors to remotely access data on their patients' implanted pacemakers and defibrillators, which use electricity to stabilize.

   St. Jude Chief Technology Officer Philip Ebeling said there were several layers of security in place for its devices.

   "We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices," Ebeling said in a statement.

   Block also said he has taken a "long" position in Abbott, a bet that its stock will rise. A representative for Abbott had no comment.

   Abbott dropped 0.76 percent to close around a one-month low of $42.84. At that price, Abbott's takeover offer for St. Jude was valued at $84.06 a share.

   Were St. Jude’s fortunes to deteriorate significantly, Abbott could seek to cite a material-adverse-effect clause built into most acquisition contracts to back out of its merger agreement. Abbott would not be required to pay a termination fee.

   In practice, such moves are rare, because the legal threshold is high for showing an adverse impact on business.

   Abbott is already seeking to pull out of one deal this year. The company offered Alere up to $50 million to terminate its $5.8 billion acquisition after the medical testing device maker was hit by accounting issues. Alere, however, has so far resisted efforts by Abbott to end that deal.

   Block, who announced his firm's position on Twitter, told Reuters that his firm felt that MedSec was correct to single out St. Jude because "none of their competitors are anywhere close to this bad." He said that one of his firm's researchers had replicated some of MedSec's findings.

   Researchers tested second-hand Merlin@home devices obtained on eBay, among the hundreds of thousands that are in use, the report said. It said St. Jude pushed out a software update to some Merlin@home devices but that it "represented a very slight change in security."

   (Reporting by Jim Finkle in Toronto and Dan Burns in New York. Additional reporting by Saqib Iqbal Ahmed, Rodrigo Campos, Toni Clarke, Carl O'Donnell, Ransdell Pierson, Noel Randewich.; Editing by Grant McCool)

   Return to headline | Return to top

2. Hacking Report on St. Jude Pacemakers Was Flawed, Researchers Say

   Aug 31, 2016 | Fortune

   By Aaron Pressman

   University of Michigan experts could not confirm flaws alleged last week.

   A report on cybersecurity vulnerabilities in St. Jude Medical’s implantable heart devices released last week by short sellers was flawed and didn’t prove the flaws existed, according to a review by University of Michigan researchers.

   Shares of St. Jude  STJ 1.03%  plunged as much as 10% on Aug. 25 after the report of the alleged vulnerabilities was released jointly by cybersecurity research firm MedSec Holdings and investment firm Muddy Waters, which primarily focuses on short selling, or betting that the stock prices of companies it picks will decline.

   Though the firms disclosed that they had a joint financial arrangement to profit from a fall in St. Jude’s stock price, the arrangement was considered highly unusual. Security researchers usually first approach the subject of their vulnerability analysis before going public.

   Get Data Sheet, Fortune’s technology newsletter.

   But now other researchers are questioning the MedSec report, which claimed that pacemakers and implantable defibrillators sold by St. Jude could be hacked in ways that could jeopardize a user’s safety. The implanted devices have wireless radios to connect to a home monitoring station that can then back up data to St. Jude.

   “We’re not saying the report is false,” Kevin Fu, associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security at University of Michigan, said in a statement. “We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue.”

   Screen shots of error messages cited by MedSec as proof of the vulnerabilities did not prove that any security flaws existed, the Michigan researchers said. “In layman’s terms, it’s like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard,” Fu said.

   St. Jude, which is the midst of being acquired by Abbott Labs  ABT 1.00%  for $25 billion, had also pushed back hard last week against the allegations. It said the report analyzed outdated software and demonstrated a “fundamental lack of understanding of medical device technology.”

   Security expert Robert Graham also challenged some of the MedSec findings on his blog, Erratta Security, on Friday.

   “There are many ethical issues, but the first should be dishonesty and spin of the Muddy Waters research report,” Graham wrote. “The report is clearly designed to scare other investors to drop St. Jude stock price in the short term so that Muddy Waters can profit. It’s not designed to withstand long term scrutiny. It’s full of misleading details and outright lies.”

   Shares of St. Jude, which had already recovered some of last week’s drop, were quoted at $79.45 in after hours trading on Monday. That’s still down 3% from before the MedSec report was released and below Abbott Lab’s $85 a share takeover price.

   Return to headline | Return to top

3. Outsideresearch team questions St. Jude hacking claims

   Aug 30, 2016 | Star Tribune

   By Joe Carlson

   Recent claims about hackers being able to remotely shut down pacemakers and defibrillators from St. Jude Medical don’t appear supported by evidence offered so far, an independent analysis has found.

   The analysis by researchers at the University of Michigan on Tuesday came as St. Jude Medical Chief Executive Michael Rousseau addressed for the first time the allegations by short-selling firm Muddy Waters Capital LLC.

   “We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices,” Rousseau said in a news release Tuesday. “This behavior speaks volumes about the profit-seeking motives and integrity of these organizations.”

   The organizations — California-based Muddy Waters and MedSec Holdings, a private medical hacking firm registered in Florida — alleged last week that hundreds of thousands of lifesaving heart-rhythm devices made by St. Jude have “shocking” vulnerabilities to hacking because of lax security precautions by St. Jude.

   Researchers at the University of Michigan’s Archimedes Center for Medical Device Security said Tuesday that they have been able to reproduce the same error results in a St. Jude implantable defibrillator that Muddy Waters did, but the errors did not cause the device to malfunction. Rather, the error indicators documented by Muddy Waters are the same as what happens if the device isn’t correctly equipped with lead wires.

   “We haven’t yet found any clinically relevant outcomes,” said Kevin Fu, director of the Archimedes center. Fu is considered a pioneer in the med-tech cybersecurity realm for leading a team that documented hacking vulnerabilities in pacemakers back in 2008.

   The ongoing analysis by the Michigan team did not give St. Jude — or the rest of the device industry — a clean bill of health, though. The analysis found only that Muddy Waters and MedSec have not produced conclusive evidence of one alleged vulnerability. Work on other claims, including St. Jude’s defenses of its devices, is still ongoing at the independent lab.

   “I think the take-home message is, we don’t need a knee-jerk reaction. Security reports are going to come out all the time, and some will be quite serious,” Fu said. “But with this first claim, we were surprised at how we came to a different conclusion.”

   Merger talks continue

   The allegations against St. Jude devices come at a touchy time because the devicemaker is in the process of being acquired by Abbott Laboratories for about $25 billion. Abbott Labs spokeswoman Elissa Maurer said via e-mail Tuesday, “We continue to collaborate with St. Jude to advance the transaction.”

   Muddy Waters and St. Jude have been trading public barbs since Thursday, when the financial firm revealed that it was shorting the device maker’s stock, which would allow it to profit if St. Jude loses value.

   The firm opted to short St. Jude because the alleged vulnerabilities appeared to require a massive recall of devices that comprise a large slice of the Fortune 500 company’s annual revenue.

   St. Jude has steadfastly stood behind the security of its devices. Several physicians and the Food and Drug Administration have said they are not recommending patients make any changes while a government investigation of Muddy Waters’ claims moves forward.

   The unorthodox public feud between the device maker and the short-seller reached a new level Monday afternoon, when Muddy Waters published a shadowy internet video on Vimeo that purported to show a hacker compromising a St. Jude pacemaker using St. Jude-branded wireless communications equipment and a laptop computer.

   On Tuesday, St. Jude responded that the pacemaker in the video is actually doing what the manufacturer intended — and the fact that Muddy Waters didn’t know that shows the firm’s “fundamental lack of understanding” of St. Jude devices.

   “The video clearly shows a security feature, not a flaw,” St. Jude Medical Chief Technology Officer Phil Ebeling said in a news release.

   The pacemaker in Muddy Waters’ video appears to go into a “safe mode” after three hours of computer hacking, Ebeling said. St. Jude pacemakers have a “radio frequency telemetry lockout” security feature that puts the device into safe mode in the event of an attack. The devices are designed to go into safe mode to ensure they will continue to work if under attack.

   St. Jude stock gained 38 cents on Tuesday, closing at $78.63. The stock is down 4 percent since Thursday.

   Return to headline | Return to top

4. St. Jude Medical Sues Short Seller Over Device Allegations

   Sep 7, 2016 | WSJ

   By TESS STYNES

   St. Jude Medical Inc. on Wednesday filed a lawsuit against Muddy Waters Capital LLC, claiming the research firm intentionally made false and misleading claims about its heart devices in order to profit from a decline in its stock.

   The complaint, filed in U.S. District Court in Minnesota, also names MedSec, a cybersecurity startup whose work was cited by Muddy Waters, and some executives at both Muddy Waters and MedSec.

   “We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” St. Jude Chief Executive Michael Rousseau said.

   Responding to the lawsuit, a Muddy Waters spokesman said: “It is not unusual for a company like this to try to silence its critics, and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients.”

   The dispute comes as St. Jude is in the process of being acquired by Abbott Laboratoriesin a cash-and-stock deal initially valued at $25 billion. The deal, set to close in the fourth quarter, would create one of the leading makers of heart-related devices. The combined company is expected to generate annual cardiovascular sales of about $8.7 billion.

   In an August report, Muddy Waters said that St. Jude’s pacemakers and other heart devices were vulnerable to hacking and other cybersecurity threats, claims that the medical-device maker has denied.

   Muddy Waters, which is known for shorting stocks, or making bets that a company’s share price will fall, had said it had a short position in St. Jude.

   Muddy Waters also said the vulnerable heart devices represented about 46% of St. Jude’s total revenue of $5.54 billion for 2015. The research firm also urged a recall of the devices.

   St. Jude’s complaint said the Muddy Waters report, based on research by MedSec, includes false claims that the medical-device maker’s implantable cardiac devices were vulnerable to cyberattacks that could cause the devices to crash or to create a drain on their batteries.

   The company is seeking an undetermined amount in damages as well as disgorgement of profits.

   After the release of the Muddy Waters report on Aug. 25, St. Jude’s stock slipped 5%. The shares dipped an additional 2.6% the following day before the medical-device maker issued a denial of the firm’s claims.

   The shares subsequently recovered some ground to close on Aug. 26 at $78.01, up 19 cents. Since then, the stock has risen roughly 2% but remains below where it traded at before the report.

   In recent trading Wednesday, St. Jude’s shares were up 53 cents at $79.43.

   Return to headline | Return to top

5. Hedge Fund and Cybersecurity Firm Team Up to Short-Sell Device Maker

   Sep 8, 2016 | NYT

   By MATTHEW GOLDSTEIN, ALEXANDRA STEVENSON and LESLIE PICKER

   The cybersecurity firm behind a short-seller’s campaign against St. Jude Medical, a major manufacturer of pacemakers, has a curious operating history.

   The firm, MedSec, says it has been around 18 months. But it was incorporated in the United States in Delaware just last month. Justine Bone, its chief executive, came on board two months ago.

   And MedSec’s headquarters shares the same address as a virtual office in Miami that provides space to a number of companies.

   The start-up is at the center of an unusual story line that brings together a Wall Street short-seller and the mysterious world of computer hacking.

   Three weeks ago, Carson Block, an investor known for betting against, or shorting, companies’ stocks, announced that he and MedSec had uncovered “troubling cybersecurity flaws” in St. Jude’s pacemakers. Those flaws, he claimed, made them vulnerable to hackers and posed a potential health hazard. The situations put forward by Mr. Block were more akin to an international spy thriller than his usual forensic examination of a company’s accounting.

   Mr. Block went public about three months after he received a call from Robert Bryan, a former hedge fund manager who helped raise money for MedSec, asking him to breakfast. Mr. Bryan proposed that MedSec and Mr. Block’s Muddy Waters hedge fund join forces to expose a potential security vulnerability that Mr. Bryan said MedSec had discovered in St. Jude’s pacemakers.

   The firms agreed to share in the windfall of any decline in St. Jude’s stock.

   “I have a very jaundiced view of how companies treat cybersecurity,” Mr. Block said in an interview on Thursday. “This is why this issue spoke to me so much.”

   Short-sellers stake bets against stocks and profit when the share price falls. They often find themselves taking the heat for protesting loudly about the company they have waged a financial bet against. St. Jude has itself accused Muddy Waters, which manages about $100 million, of publishing a misleading report for its own financial gain. The company’s share price fell about 5 percent on Aug. 25 after Muddy Waters released MedSec’s research.

   Muddy Waters’ partnership with MedSec is unorthodox. The cybersecurity firm counts Mr. Bryan, a former Goldman Sachs analyst, as one of its directors. Mr. Block and Mr. Bryan first met when Mr. Bryan was running a now-defunct hedge fund in New York called Metaval Capital.

   MedSec has portrayed itself as a company that researches vulnerabilities in medical devices as a public service and considers itself among a group of hackers that engage in bounty hunting for bugs in networks and software programs. But unlike many of these hackers, who typically confront the company with their findings and seek compensation, MedSec chose not to go to the company.

   Ms. Bone, MedSec’s chief, said in an interview with Bloomberg Television on Aug. 25, that MedSec did not go to St. Jude with its findings because they were “worried that they would sweep this under the rug.”

   MedSec says that St. Jude’s pacemakers and defibrillators have security flaws including a lack of encryption and an opening that allows unauthorized devices to intercept communication between the implanted device and its home monitor.

   But St. Jude has said the findings are in error. On Wednesday, the company filed a lawsuit in Federal District Court in Minnesota accusing MedSec and Mr. Block of making false statements and conspiring to manipulate its shares.

   In the lawsuit, St. Jude noted that a group of researchers at the University of Michigan had reproduced MedSec’s experiment and “came to strikingly different conclusions” and said the problems uncovered were overblown.

   St. Jude, like many medical device manufacturers, has had a history of problems with some of its products — some with deadly results. In 2012, the company had to make changes to some of its heart defibrillators because of problems with wires that protruded from their casings that had led to a number of deaths.

   The recent questions about the security of St. Jude’s pacemakers comes as the company is being acquired by Abbott Laboratories in a stock and cash deal valued at $25 billion. Abbott has said it plans to continue pursuing the deal, which was announced on April 28, shortly before Mr. Block met with Mr. Bryan to discuss teaming up.

   Mr. Block, in an interview, said the timing of the meeting was a coincidence and that MedSec had broadly looked at whether other pacemaker manufacturers were vulnerable to similar attacks and found problems only at St. Jude.

   “I don’t think you can conclude that they came together to short St. Jude,” Mr. Block said of MedSec.

   In an emailed response, Mr. Bryan described himself as a minority investor in MedSec and said the company “raised seed capital far before contacting Carson.” He added that “it’s implausible that we’d develop an entire study a year ago on the hope a short-seller would take the case and not speak to any of them.”

   He said the company was incorporated in St. Kitts and Nevis, a Caribbean nation, last year and incorporated in Delaware so it could “receive compensation” from Mr. Block’s fund. Mr. Bryan said the firm has a long-term “sublease and physical office space” and “recently we signed up a few clients including a hospital in Texas.” He declined to disclose any names.

   A number of hedge funds, which had placed bets on the likelihood of the Abbott deal closing, lost money when shares of St. Jude fell last month, erasing more than $1 billion in market value. Some of them, as well as other investors in St. Judge, have discussed filing a lawsuit against Muddy Waters and MedSec, and brought in lawyers at a prominent Wall Street law firm as counsel, according to people briefed on the discussions.

   MedSec’s board and staff is an unusual mix, including a former congressman, university professors and people from the world of hacking. Mr. Block has arranged for his public relations firm to handle media for MedSec.

   A doctor who is on the company’s board and issued a letter vouching for the firm’s results also has an equity stake in MedSec.

   The firm sought to add some gravitas to its ranks with the hiring of Ms. Bone, who previously held top network security jobs at Bloomberg and Dow Jones. A former ballet dancer in New Zealand, Ms. Bone also is the former chief executive of Immunity, a company that specializes in cybersecurity threat assessment, and she has been a featured speaker at major hacker community conferences.

   Immunity emerged last year in a document dump by WikiLeaks of emails with companies that had business discussions with Hacking Team, an Italian company that has come under scrutiny for selling digital spy tools to governments with records of human rights abuses.

   MedSec and Muddy Waters have given varying accounts of the urgency of their discovery. In her television interview, Ms. Bone said the company saw “no evidence of an immediate threat.”

   In their report, however, MedSec and Muddy Waters quote Hemal Nayak, a cardio-electrophysiologist at the University of Chicago Medicine, who recommended that his patients unplug their St. Jude devices and said he would not implant any new pacemakers until the security problems were addressed.

   Dr. Nayak, who could not be reached for comment, also serves as a medical adviser and board member at MedSec and has an equity stake in the firm. He has acknowledged not being an “expert in cybersecurity” but said he “witnessed, firsthand, the experiments MedSec has conducted.” Dr. Nayak was given an equity interest in the firm “prior to MedSec reaching its conclusions,” according to a footnote in the research report.

   A spokeswoman for the University of Chicago Medicine said: “The work Dr. Nayak conducted with MedSec/Muddy Waters was done on his own time and not in his capacity as a faculty member or physician at the University of Chicago Medical Center.”

   The same day that Mr. Block and MedSec went public with their findings, they sent a copy of the research to the federal Food and Drug Administration.

   Angela Stark, a spokeswoman for the F.D.A., said in an emailed statement the agency “is aware of the allegations and concerns raised in MedSec’s public report” and is investigating them.

   She added that the agency said patients with St. Jude pacemakers should continue to use them.

   Return to headline | Return to top

6. Twin Cities-based St. Jude Medical sues Muddy Waters over security allegation

   Sep 7, 2016 | Star Tribune

   By Joe Carlson and Paul Walsh

   Minnesota medical device maker St. Jude Medical filed a federal defamation lawsuit Wednesday against short-selling firm Muddy Waters Capital LLC and others who last month drove down St. Jude stock with “strident” false claims about a lack of computer security in its lifesaving machines.

   San Francisco-based Muddy Waters said Aug. 25 that it had taken out a short position on St. Jude stock — which meant it stood to profit if St. Jude stock fell in value — at the same time that it publicized allegations of sweeping cybersecurity vulnerabilities that could affect hundreds of thousands of devices.

   Contrary to common industry practice, the hackers at Florida-based MedSec Holdings who said they discovered the alleged flaws in St. Jude devices first took their concerns to short-sellers to make a profit, instead of bringing their concerns to St. Jude or regulators directly.

   “This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must by stopped and defendants must be held accountable so that such activity will not be incentivized and repeated in the future,” said St. Jude’s 33-page lawsuit, filed in U.S. District Court in Minnesota.

   St. Jude, a Fortune 500 company based in Little Canada, is asking a federal judge to take away whatever profits Muddy Waters and its partners might have made from its short-selling, and pay triple damages for violating a federal law against making false or misleading statements about commercial goods and services. They are also suing under Minnesota’s deceptive trade-practices law.

   Muddy Waters quickly fired back in an e-mail, “It is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients.”

   The Food and Drug Administration has confirmed to the Star Tribune that it is investigating the alleged cybersecurity issues in concert with the Department of Homeland Security. The agency has said patients should not make changes to their devices without consulting with their doctors, including unplugging the at-home monitoring systems that Muddy Waters portrays as the linchpin to the wireless security flaws.

   St. Jude said there are no such flaws. The lawsuit contains a point-by-point rebuttal of Muddy Waters’ claims, including MedSec CEO Justine Bone’s public statements that St. Jude has known about cybersecurity problems since 2013 but has not fixed them.

   Public records on file with the FDA show that St. Jude has received regulators’ permission to make numerous security upgrades to its devices in recent years.

   “St. Jude released seven different security updates alone to Merlin@home since 2013,” the lawsuit said, referring specifically to the device that is used to communicate wirelessly with implanted pacemakers and defibrillators in patients’ homes.

   St. Jude also repeated its past rebuttal to what Muddy Waters claimed was a security flaw shown in a video of a purported attack on a pacemaker, saying the alleged malfunction was actually a security feature that allows the device to work if under attack. The device maker also said Muddy Waters’ printed report shows screen shots of the devices functioning as would be expected in a crude bench test, even though the images are presented in Muddy Waters’ report as evidence of malfunctions.

   “Defendants omit, among other things, that the tests were not representative of real-world conditions and did not account for the significant differences in tests performed on devices on a lab bench vs. conditions simulating an implanted [heart-rhythm] device,” the lawsuit said.

   Although researchers have been testing and demonstrating theoretical cybersecurity vulnerabilities with pacemakers and other medical devices since at least 2008, there has never been a confirmed report of a patient being harmed by a malicious cyberattack on an implanted device.

   St. Jude Medical stock lost about 8 percent of its value when the allegations first came out on the Aug. 25, but it has recovered at least half of that lost value as stock analysts and med-tech experts have closely parsed the Muddy Waters report. On Wednesday, St. Jude stock closed at $79.18, up 28 cents for the day.

   Listed as defendants in the lawsuit are Muddy Waters Consulting LLC, Muddy Waters Capital LLC, MedSec Holdings, Ltd., MedSec LLC, and three individuals who are principals in these firms, including University of Chicago doctor Dr. Hemal Nayak, who is on MedSec’s board.GLEN STUBBESt. Jude is taking short-seller Muddy Waters to court for willfully disseminating false information.TEXT SIZE7EMAILPRINTMORE

   Minnesota medical device maker St. Jude Medical filed a federal defamation lawsuit Wednesday against short-selling firm Muddy Waters Capital LLC and others who last month drove down St. Jude stock with “strident” false claims about a lack of computer security in its lifesaving machines.

   San Francisco-based Muddy Waters said Aug. 25 that it had taken out a short position on St. Jude stock — which meant it stood to profit if St. Jude stock fell in value — at the same time that it publicized allegations of sweeping cybersecurity vulnerabilities that could affect hundreds of thousands of devices.

   Contrary to common industry practice, the hackers at Florida-based MedSec Holdings who said they discovered the alleged flaws in St. Jude devices first took their concerns to short-sellers to make a profit, instead of bringing their concerns to St. Jude or regulators directly.

   “This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must by stopped and defendants must be held accountable so that such activity will not be incentivized and repeated in the future,” said St. Jude’s 33-page lawsuit, filed in U.S. District Court in Minnesota.

   St. Jude, a Fortune 500 company based in Little Canada, is asking a federal judge to take away whatever profits Muddy Waters and its partners might have made from its short-selling, and pay triple damages for violating a federal law against making false or misleading statements about commercial goods and services. They are also suing under Minnesota’s deceptive trade-practices law.

   Muddy Waters quickly fired back in an e-mail, “It is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients.”

   The Food and Drug Administration has confirmed to the Star Tribune that it is investigating the alleged cybersecurity issues in concert with the Department of Homeland Security. The agency has said patients should not make changes to their devices without consulting with their doctors, including unplugging the at-home monitoring systems that Muddy Waters portrays as the linchpin to the wireless security flaws.

   St. Jude said there are no such flaws. The lawsuit contains a point-by-point rebuttal of Muddy Waters’ claims, including MedSec CEO Justine Bone’s public statements that St. Jude has known about cybersecurity problems since 2013 but has not fixed them.

   Public records on file with the FDA show that St. Jude has received regulators’ permission to make numerous security upgrades to its devices in recent years.

   “St. Jude released seven different security updates alone to Merlin@home since 2013,” the lawsuit said, referring specifically to the device that is used to communicate wirelessly with implanted pacemakers and defibrillators in patients’ homes.

   St. Jude also repeated its past rebuttal to what Muddy Waters claimed was a security flaw shown in a video of a purported attack on a pacemaker, saying the alleged malfunction was actually a security feature that allows the device to work if under attack. The device maker also said Muddy Waters’ printed report shows screen shots of the devices functioning as would be expected in a crude bench test, even though the images are presented in Muddy Waters’ report as evidence of malfunctions.

   “Defendants omit, among other things, that the tests were not representative of real-world conditions and did not account for the significant differences in tests performed on devices on a lab bench vs. conditions simulating an implanted [heart-rhythm] device,” the lawsuit said.

   Although researchers have been testing and demonstrating theoretical cybersecurity vulnerabilities with pacemakers and other medical devices since at least 2008, there has never been a confirmed report of a patient being harmed by a malicious cyberattack on an implanted device.

   St. Jude Medical stock lost about 8 percent of its value when the allegations first came out on the Aug. 25, but it has recovered at least half of that lost value as stock analysts and med-tech experts have closely parsed the Muddy Waters report. On Wednesday, St. Jude stock closed at $79.18, up 28 cents for the day.

   Listed as defendants in the lawsuit are Muddy Waters Consulting LLC, Muddy Waters Capital LLC, MedSec Holdings, Ltd., MedSec LLC, and three individuals who are principals in these firms, including University of Chicago doctor Dr. Hemal Nayak, who is on MedSec’s board.

   Neither Bone, the MedSec CEO, nor Nayak could be reached for comment Wednesday.

   Nayak used part of the University of Chicago logo on a letter questioning St. Jude’s cybersecurity that was included in the Muddy Waters report. But a spokeswoman for University of Chicago Medicine distanced the school from the report.

   “The work Dr. Nayak conducted with MedSec/Muddy Waters was done on his own time and not in his capacity as a faculty member or physician at the University of Chicago Medical Center,” spokeswoman Lorna Wong wrote in an e-mail Tuesday. “His comments and conclusions are based on his personal opinion and do not represent or reflect those of the University of Chicago or the University of Chicago Medical Center.”

   Muddy Waters describes itself as “an alternative investment firm and pioneer in on-the-ground, freely published investment research.” It said that it separates itself from others in the industry by “being able to see through the opacity and hype that some managements create in order to expose business and accounting fraud as well as fundamental problems at companies across the globe.”

   Muddy Waters spokesman Zach Kouwe said by phone Wednesday that it was not unusual for the target of a short-seller to try to silence its critics. Kouwe added, “We’ve never paid anybody” in any instance when Muddy Waters has been sued in the past.

   St. Jude CEO Michael Rousseau, who became chief executive in January, said in a statement that the company’s lawsuit was critical to defend the interests of all of the company’s stakeholders, including patients, doctors, responsible cybersecurity researchers, and St. Jude’s investors.

   “We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” Rousseau’s statement Wednesday said.

   St. Jude is in the process of being sold to Abbott Laboratories for $25 billion. In an e-mail statement last week, an Abbott spokeswoman said, “We continue to collaborate with St. Jude to advance the transaction.”

   Return to headline | Return to top

7. St. Jude Medical sues short-sellers; FDA launches probe

   Sep 9, 2016 | Modern Healthcare

   By Maria Castellucci

   Medical-device manufacturer St. Jude Medical has filed a lawsuit this week against short-sellers that claimed that its pacemakers and other devices are vulnerable to hacks. 
   
   The lawsuit was filed Wednesday against short-selling investment firm Muddy Waters, cybersecurity company MedSec Holdings, and three principals in those firms.
   
   The St. Paul, Minn.-based company has consistently denied allegations made in areport published last month (PDF) by Muddy Waters and MedSec Holdings that St. Jude's devices, “lack even the most basic forms of security.” Muddy Waters and MedSec have also released videos that demonstrate how the devices can “crash.” 
   
   From the lawsuit, St. Jude Medical “seeks to hold these firms and individuals accountable for their false and misleading tactics, to set the record straight about the security of its devices, and to help cardiac patients and their doctors make informed medical decisions about products that enhance and save lives every day,” the company said in a prepared statement. 
   
   Muddy Waters didn't respond to a request for comment on the pending lawsuit. 
   
   Also this week, the Food and Drug Administration confirmed that it has launched an investigation of St. Jude Medical based on Muddy Waters' claims. FDA spokeswoman Angela Stark said the agency is working with the Department of Homeland Security to conduct an investigation into the Muddy Waters report. She added that, “At the present time, patients should continue to use their devices as instructed and not change any implanted device. The FDA will provide updates as we learn more.” 
   
   In response to the FDA investigation, St. Jude Medical spokeswoman Candace Flippin said in a prepared statement that the company supports the inquiry and will work closely with agency. “We are confident in the safety and security of our remote monitoring systems … We will continue to work closely with the FDA as ensuring patient safety is our top priority,” she added. 
   
   St. Jude Medical said short-seller Muddy Waters “intentionally” released false claims against its cardiac devices in order to benefit if St. Jude stock depreciated. The company's stock fell 5% after the report was released from $81.88 a share to $77.82 a share. Stock was selling Friday morning at $78.77 a share. 
   
   The allegations made by Muddy Waters and MedSec have been met with criticism. An independent report released Aug. 30 by researchers at the University of Michigan found flaws in their analysis. The researchers said they came to “strikingly different conclusions” when they reproduced the experiments.
   
   U-M also pointed out that Muddy Waters had a financial incentive to see St. Jude stock decline. 
   
   St. Jude Medical is a global provider of medical devices. It has a market value of $22.5 billion. In its second quarter, St. Jude reported $1.5 billion in net sales, a 10.8% increase from the same quarter a year ago.
   

   Return to headline | Return to top

8. St. Jude Medical Brings Legal Action Against Muddy Waters and MedSec

   Sep 7, 2016 | Press Release

   ST. PAUL, Minn.--(BUSINESS WIRE)-- St. Jude Medical, Inc. (NYSE:STJ), a global medical device company, announced today that it has filed a lawsuit against Muddy Waters Consulting LLC, Muddy Waters Capital LLC, MedSec Holdings, Ltd., MedSec LLC, and three individual defendants who are principals in these firms, for false statements, false advertising, conspiracy and the related manipulation of the public markets in connection with St. Jude Medical’s implantable cardiac management devices. With this action, St. Jude Medical seeks to hold these firms and individuals accountable for their false and misleading tactics, to set the record straight about the security of its devices, and to help cardiac patients and their doctors make informed medical decisions about products that enhance and save lives every day.

   "We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” said 

   Michael T. Rousseau, president and chief executive officer at St. Jude Medical. "We believe this lawsuit is critical to the entire medical device ecosystem — from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme."

   The lawsuit filed today alleges that Muddy Waters, MedSec and the other defendants intentionally disseminated false and misleading information in order to lower the value of St. Jude Medical’s stock and to wrongfully profit from a drop in share value through a short-selling scheme. The company’s complaint refers to the Muddy Waters and MedSec repeated false allegations that began on August 25, 2016 about St. Jude Medical’s implantable cardiac devices. As further explained in the company’s complaint, the defendants’ financially self-interested attempts to mislead doctors and patients demonstrate a total disregard for the patients whose lives depend on their cardiac management devices. The complaint also cites a third-party assessment of the Muddy Waters Report by University of Michigan researchers who found that “the evidence does not support their conclusions… [the University of Michigan researchers] were able to generate the reported conditions without there being a security issue.” In addition, an electrophysiologist and cardiologist from the University of Michigan also stated that “given the significant benefits from home monitoring, patients should continue to use their prescribed cardiac devices” at this time.

   “We recognize that the cybersecurity landscape is dynamic, which is why we partner with researchers, agencies, consultants and others to continually strengthen our security measures currently in place,” said 

   Phil Ebeling, vice president and chief technology officer at St. Jude Medical. “We also have processes in place to encourage anyone with information about the security of our technology to share it with us so that we can enhance our technology for the benefit of patients.”

   St. Jude Medical devices save and improve lives every day, and our devices and systems have multiple features to reduce the risk of cyber security attacks.St. Jude Medical has worked, and will continue to work, with the Food and Drug Administration, the Department of Homeland Security and independent researchers to continually strengthen its security systems in the ever changing cybersecurity environment.

   "Our top priority is to reassure patients, caregivers and physicians who use our life-saving devices that we are committed to the security of our products and to ensure patients and their doctors maintain ongoing access to the proven clinical benefits of remote monitoring," said 

   Mark Carlson, vice president and chief medical officer at St. Jude Medical. "We decided to take this action because of the irresponsible manner in which these groups have acted."

   The lawsuit was filed in the United States District Court for the District of Minnesota. This case follows St. Jude Medical's recent statements that refuted claims by Muddy Waters and MedSec regarding the safety and security of our pacemakers and defibrillators.

   About St. Jude Medical

   St. Jude Medical is a leading global medical device manufacturer and is dedicated to transforming the treatment of some of the world's most expensive epidemic diseases. The company does this by developing cost-effective medical technologies that save and improve lives of patients around the world.

   Headquartered in St. Paul, Minn., St. Jude Medical employs approximately 18,000 people worldwide and has five major areas of focus that include heart failure, atrial fibrillation, neuromodulation, traditional cardiac rhythm management and cardiovascular. For more information, please visit sjm.com or follow us on Twitter @SJM_Media.

   Forward-Looking Statements

   This news release contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995 that involve risks and uncertainties. Such forward-looking statements include the expectations, plans and prospects for the company, including potential clinical successes, reimbursement strategies, anticipated regulatory approvals and future product launches, and projected revenues, margins, earnings and market shares. The statements made by the company are based upon management’s current expectations and are subject to certain risks and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. These risks and uncertainties include market conditions and other factors beyond the company’s control and the risk factors and other cautionary statements described in the company’s filings with the SEC, including those described in the Risk Factors and Cautionary Statements sections of the company’s Annual Report on Form 10-K for the fiscal year ended January 2, 2016and Quarterly Report on Form 10-Q for the fiscal quarter ended July 2, 2016. The company does not intend to update these statements and undertakes no duty to any person to provide any such update under any circumstance.

   View source version on businesswire.com: http://www.businesswire.com/news/home/20160907005903/en/

   Source: St. Jude Medical, Inc.

   St. Jude Medical, Inc.
   
   J.C. Weigelt, 651-756-4347
   
   Investor Relations
   
   jweigelt@sjm.com
   
   or
   
   Candace Steele Flippin, 651-756-3029
   
   Media Relations
   
   csflippin@sjm.com

   Return to headline | Return to top

9. St. Jude Medical Continues to Refute Allegations made by Muddy Waters Capital and MedSec

   Aug 30, 2016 | Press Release

   AUGUST 30, 2016

   ST. PAUL, Minn.--(BUSINESS WIRE)-- St. Jude Medical, Inc. (NYSE:STJ), a global medical device company, today issued the following statement:
   

   Patients are our highest priority. St. Jude Medical takes our commitment to patients very seriously because we understand that the 20,000 patients around the world who receive our lifesaving and life improving therapies –– every business day –– count on us to always put them first. And we do.

   “The allegations made by Muddy Waters and MedSec are irresponsible, misleading and unnecessarily frightening patients,” said Michael T. Rousseau President and chief executive officer at St. Jude Medical. “We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices. This behavior speaks volumes about the profit-seeking motives and integrity of these organizations.”

   Further demonstrating their fundamental lack of understanding of St. Jude Medical’s medical device technology, Muddy Waters Capital and MedSec presented a video yesterday that actually demonstrated the Radio Frequency (RF) Telemetry Lockout security feature of our pacemakers – not a “crash” as they claimed. The video also confirms that the device’s clinical functions are operating as expected under these conditions.

   “The video clearly shows a security feature, not a flaw. The pacemaker is actually functioning as designed. If attacked, our pacemakers place themselves into a “safe” mode to ensure the device continues to work, which further proves our commitment to safety and security,” said 

   Phil Ebeling, vice president and chief technology officer at St. Jude Medical.

   We have safeguards in place to mitigate so-called “crash attacks”

   St. Jude Medical devices are designed to go into a life-sustaining “safe” mode, as a safeguard, if unexpected conditions are detected.

   These safeguards will put the device into safe mode where the preprogrammed pacing and defibrillation functions of the implantable medical devices revert to safe settings. In addition, some of our devices, by design, disable further RF communications for a period of time, which may appear to the untrained eye as having rendered the device disabled, although it continues to function.

   As part of our commitment to continuous investment in our technology, St. Jude Medical devices have built-in measures to reduce the risk of unauthorized commands being issued to our implantable devices. In addition we have an ongoing focus to continually strengthen our security systems in the ever changing cybersecurity environment. For example:Access controls help protect the Merlin@home™ operating system from unauthorized accessThe lack of built-in programming commands in Merlin@home help ensure that therapy is provided through the implanted device only at the direction of the physicianProprietary implantable medical device protocols protect communications with the implantable deviceEncryption of session authentication between the implantable medical device and Merlin@home further enhances device securityThe limited Medical Implant Communication Services (MICS) wireless range restricts accessibility of communications with the implantable device

   “Patient safety is and has always been our top priority,” said 

   Mark Carlson, M.D., vice president and chief medical officer at St. Jude Medical. “Our devices are safe and we have taken and continue to take appropriate steps to address the dynamic challenges of cyber security. We do this because it is the responsible thing to do for the patients and physicians who rely on our devices.”

   About St. Jude Medical

   St. Jude Medical is a leading global medical device manufacturer and is dedicated to transforming the treatment of some of the world's most expensive epidemic diseases. The company does this by developing cost-effective medical technologies that save and improve lives of patients around the world.

   Headquartered in St. Paul, Minn., St. Jude Medical employs approximately 18,000 people worldwide and has five major areas of focus that include heart failure, atrial fibrillation, neuromodulation, traditional cardiac rhythm management and cardiovascular. For more information, please visit sjm.com or follow us on Twitter @SJM_Media.

   Forward-Looking Statements

   This news release contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995 that involve risks and uncertainties. Such forward-looking statements include the expectations, plans and prospects for the company, including potential clinical successes, reimbursement strategies, anticipated regulatory approvals and future product launches, and projected revenues, margins, earnings and market shares. The statements made by the company are based upon management’s current expectations and are subject to certain risks and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. These risks and uncertainties include market conditions and other factors beyond the company’s control and the risk factors and other cautionary statements described in the company’s filings with the SEC, including those described in the Risk Factors and Cautionary Statements sections of the company’s Annual Report on Form 10-K for the fiscal year ended January 2, 2016and Quarterly Report on Form 10-Q for the fiscal quarter ended July 2, 2016. The company does not intend to update these statements and undertakes no duty to any person to provide any such update under any circumstance.

   View source version on businesswire.com: http://www.businesswire.com/news/home/20160830005740/en/

   Source: St. Jude Medical, Inc.

   St. Jude Medical, Inc.
   
   J.C. Weigelt, 651-756-4347
   
   Investor Relations
   
   jweigelt@sjm.com
   
   or
   
   Candace Steele Flippin, 651-756-3029
   
   Media Relations
   
   csflippin@sjm.com

   Return to headline | Return to top

10. St. Jude Medical Refutes Muddy Waters Device Security Allegations and Reinforces Security of Devices and Commitment to Patient Safety

    Aug 26, 2016 | Press Release

    AUGUST 26, 2016

    ST. PAUL, Minn.--(BUSINESS WIRE)-- St. Jude Medical, Inc. (NYSE:STJ), a global medical device company, today issued the following statement: We have examined the allegations made by Muddy Waters Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.
    

    Remote monitoring is a safe and effective means for patients to communicate with their physician. It has been well documented in leading publications that remote monitoring saves lives. At St. Jude Medical, we work with third-party experts, researchers, government agencies and regulators in cybersecurity to develop appropriate safeguards for our data and devices as part of our product development process and life cycle. These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts. In addition, we collaborate with industry and governmental organizations to gain insight on recent trends and take appropriate action.

    Our system provides an automated remote upgrade process for all Merlin@home units that are in active use so that security enhancements are automatically deployed when they become available. Merlin@home units that are not in active use and connected to the internet will also be upgraded when they return to use if a new update is available. Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home™ devices (i.e., those that have not been updated through the automated remote upgrade process). We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes. We want to reassure our patients that our systems meet the highest international security requirements, as required by regulatory authorities and international standards organizations.

    Claims of remote battery depletion are misleading

    The report claimed that the battery could be depleted at a 50-foot range. This is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.

    The flawed test methodology on outdated software demonstrates fundamental lack of understanding of medical device technology

    The report claimed that the system could be impaired, similar to when a computer system “crashes.” The report has little detail on this simulation and includes many inconsistencies. In fact, the screenshot of the Merlin programmer in the Muddy Water report shows a device that is functioning normally. The red items on the screen are highlighting the fact that there are no leads connected to the device. The device is pacing properly, at the programmed 40bpm. The screenshot shows expected behavior from the SecureSense algorithm when device is pacing without any connected leads.

    St. Jude Medical will remain ever vigilant and dedicated to patient safety

    Our software has been evaluated and assessed by several independent organizations and researchers including Deloitte and Optiv. In addition, Merlin.net was Safe Harbor certified by St. Jude Internal Audit in 2013 and annually since then. This includes an annual audit of key security controls within the Merlin.net environment and Merlin.net has received ISO 27001 certification since 2009. This includes an internal audit of security controls and an independent certification by a third party, BSI. In 2015, we successfully completed an upgrade to the ISO 27001:2013 certification.

    Muddy Waters also makes numerous unsubstantiated statements that are speculative with no evidence shown to prove the claims such as an ability to impersonate any SJM device, reverse engineering to create a pocket-size programmer, and a large-scale attack through the Merlin network. However, we are not aware of such threats and will remain vigilant to the ever-increasing sophistication of those seeking access to devices/data and address any issues based on additional detail provided.

    We recognize the importance of providing physicians with up-to-date and accurate information in a timely and responsible manner so that they can make informed patient care decisions. Our analysis reinforces the need for researchers and manufactures to work together to discuss and resolve potential issues together to avoid unnecessarily alarming patients.

    St. Jude Medical is a strong supporter of responsible disclosure and proactively works with industry groups like NH-ISAC and ICS-CERT

    We encourage anyone with product security questions to contact us at productsecurity@sjm.com. We ask anyone with an a potential cybersecurity vulnerability in a St. Jude Medical product to contact us at vulnerabilityreporting@sjm.com for further inspection and analysis to best ensure we are able to validate and communicate information in the interest of patient safety.

    Patient safety has always been our top priority and we have every reason to believe our devices are safe. Because we recognize cybersecurity is a concern for patients, it is also a priority for St. Jude Medical. We have a dedicated resource on sjm.com reinforcing our commitment to product and information security on our website.

    About the Impact of the St. Jude Medical Remote Monitoring Portfolio

    The St. Jude Medical Merlin.net Patient Care Network (PCN) is an award winning Radio frequency (RF) remote monitoring system designed to improve outcomes for patients with pacemakers, implantable cardioverter defibrillators (ICDs) and cardiac resynchronization defibrillators (CRT-Ds). With rapid access to their patient’s information through the secure Merlin.net PCN website, physicians can remotely monitor and assess patient device data and determine interventions needed. Recent research has shown that remote monitoring can improve patient survival while reducing hospitalizations and health care utilization.

    In 2008, St. Jude Medical improved upon the exceptional security of the Merlin.net PCN by introducing the Merlin@home™ transmitter, which allows efficient remote care management and additional options for physicians to provide early intervention and improve health care efficiency. The data transferred by Merlin@home are fully encrypted and meet or exceed all applicable national data privacy and security requirements in all countries where the Merlin.net PCN is used. In addition, the Merlin.net PCN was the first cardiac device monitoring system to be awarded ISO/IEC 27001:2005 certification, a stringent worldwide information security standard, and our certification is audited, updated and current.

    Remote monitoring of cardiac patients has become a best-practice over the past decade. In 2016, the Heart Rhythm Society has made remote monitoring the standard of care in its recent guidelines. St. Jude Medical has pioneered this life-saving capability with our RF Merlin.net Patient Care Network (PCN) and the Merlin@Home patient system. Dozens of studies continue to prove the positive impact on patient outcomes, and the reduction of healthcare costs.

    Patients with questions about remote care from St. Jude Medical can call Remote Care Services at 1-877-

    MY MERLIN (1-877-696-3754).

    About St. Jude Medical

    St. Jude Medical is a leading global medical device manufacturer and is dedicated to transforming the treatment of some of the world's most expensive epidemic diseases. The company does this by developing cost-effective medical technologies that save and improve lives of patients around the world. Headquartered in St. Paul, Minn., St. Jude Medical employs approximately 18,000 people worldwide and has five major areas of focus that include heart failure, atrial fibrillation, neuromodulation, traditional cardiac rhythm management and cardiovascular. For more information, please visit sjm.com or follow us on Twitter @SJM_Media.

    Forward-Looking Statements

    This news release contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995 that involve risks and uncertainties. Such forward-looking statements include the expectations, plans and prospects for the company, including potential clinical successes, reimbursement strategies, anticipated regulatory approvals and future product launches, and projected revenues, margins, earnings and market shares. The statements made by the company are based upon management’s current expectations and are subject to certain risks and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. These risks and uncertainties include market conditions and other factors beyond the company’s control and the risk factors and other cautionary statements described in the company’s filings with the SEC, including those described in the Risk Factors and Cautionary Statements sections of the company’s Annual Report on Form 10-K for the fiscal year ended January 2, 2016and Quarterly Report on Form 10-Q for the fiscal quarter ended July 2, 2016. The company does not intend to update these statements and undertakes no duty to any person to provide any such update under any circumstance.

    View source version on businesswire.com: http://www.businesswire.com/news/home/20160826005729/en/

    Source: St. Jude Medical, Inc.

    St. Jude Medical, Inc.
    
    J.C. Weigelt, 651-756-4347
    
    Investor Relations
    
    jweigelt@sjm.com
    
    or
    
    Candace Steele Flippin, 651-756-3029
    
    Media Relations
    
    csflippin@sjm.com

    Return to headline | Return to top

Full Text of Stories Below