- The Washington Times - Tuesday, August 30, 2016

Concerns raised by the release of a report last week highlighting supposed security vulnerabilities affecting pacemakers, defibrillators and other medical devices have prompted attorneys to pursue a class-action lawsuit against their manufacturer, St. Jude Medical.

Lawyers for defibrillator patient Clinton W. Ross Jr. filed the class-action complaint Friday in Los Angeles federal court, one day after short-selling firm Muddy Waters accused St. Jude of selling implanted heart devices that are vulnerable to cyberattack.

Mr. Ross would not have undergone surgery last November to be implanted with a St. Jude device had he been aware of the “severe security vulnerabilities” detailed in the recent report, his attorneys wrote in Friday’s court filing.

The complaint lists 30 different St. Jude devices that are believed to have serious security flaws and claims that potentially hundreds of thousands of similarly situated heart patients have grounds to sue the manufacturer for fraud and negligence, among other charges.

In its report, Muddy Waters said researchers at cybersecurity firm MedSec Holdings demonstrated how attackers could hijack home-monitored cardiac devices made by St. Jude with potentially catastrophic consequences.

Notably, the firm claimed that implanted devices that use radiofrequency (“RF”) telemetry to broadcast personal medical data from the insides of patients to in-home transmitters were prone to attack because standard security defenses such as strong authentication and encryption were largely absent. As a result, hackers could potentially force an implanted cardiac device to “pace” at a dangerous rate, or rapidly drain power from an implanted device’s battery, the report said.

“The lack of even the most basic security defenses allowed MedSec — with relatively little effort — to develop and demonstrate two types of potentially catastrophic attacks that could be used against St. Jude’s cardiac devices with RF telemetry capabilities,” attorneys for Mr. Ross wrote in the court filing. “Given the lack of even the most basic security defenses … it is doubtless that a malicious attacker could find numerous other attacks.”

St. Jude’s chief technology officer, Phil Ebeling, denounced the short-selling firm’s allegations as “absolutely untrue” and said his company has several layers of security in place, such as conducting routine assessments on all of its devices.

Nonetheless, attorneys for Mr. Ross said in Friday’s filing that St. Jude patients should be allowed to sue the manufacturer for breach of expressed warranty, fraudulent concealment, negligence and unjust enrichment.

Mr. Ross‘ lead attorney, Mike Arias, did not immediately respond to a request for comment when contacted by Courthouse News, where the complaint was first reported Tuesday. The case has been assigned to District Judge Dolly M. Gee and Magistrate Judge Charles F. Eick in U.S. District Court for the Central District of California.

St. Jude’s stock saw its biggest one-day loss in seven months Thursday following publication of Muddy Waters‘ report. The short-seller predicted the security concerns would cause the company to recall several products and lose upwards of half its revenue during the next two years. 

Sign up for Daily Newsletters

Manage Newsletters

Copyright © 2020 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.


Click to Read More and View Comments

Click to Hide