MedSec, a new medical research firm with ties to Philadelphia-area political figures, filed papers last week doubling down on its controversial claim that a substantial number of St. Jude Medical’s heart devices are vulnerable to hackers.
In an Oct. 24 filing, the company cited more evidence: a study by the Phoenix-based cyber security specialist Carl Livitt, who said hackers could cause St. Jude cardiac implants to stop working properly and deliver shocks to patients.
The statement is the latest barrage in what is shaping up to be a lengthy legal war. MedSec first criticized the safety of St. Jude’s devices in August. It acted in concert with Muddy Waters Capital, a California-based hedge fund that bet against the device maker’s stock even as St. Jude was in the midst of a merger with Abbott Laboratories.
St. Jude’s stock fell by more than 7 percent in two days and hasn’t rebounded much. Now the device maker is suing MedSec and Muddy Waters in federal court in Minnesota, maintaining that the defendants used junk science to scare patients and “gain a financial windfall.”
MedSec’s latest volley was in response to St. Jude’s suit.
At issue is much more than a run-of-the-mill dispute between researchers. St. Jude, with $5.5 billion in annual revenue, is a major supplier of devices. Hundreds of thousands of people use St. Jude’s devices.
National cyber experts as well as fiction writers have long been concerned about the vulnerability of those devices.
In 2012, the Government Accountability Office reported that federal officials were acting too slowly to prepare for hacking and malware.
A 2012 episode of the television series Homeland portrayed the fictional assassination of a U.S. vice president, whose pacemaker was hacked.
And in 2013, former Vice President Dick Cheney said his doctors disabled his defibrillator’s wireless capabilities because of concerns that it could be hacked.
So far the Food and Drug Administration, which oversees the devices, has not recommended that patients take any action, saying that it is reviewing MedSec’s charges.
If people have concerns, the FDA says, they should consult with their doctor.
MedSec’s six-member board of directors includes State Rep. Nick Miccarelli (R., Delaware County), former U.S. Rep. Curt Weldon, and University of Pennsylvania engineering associate professor Rahul Mangharam.
Miccarelli, the only MedSec board member who responded to requests for comment, defended the firm’s research on St. Jude’s products.
“If MedSec plays even a small role in saving just one person’s life, then I believe the company should be applauded for bringing this issue to light,” emailed Miccarelli, who is running for reelection.
MedSec, which is incorporated on a Caribbean island and was registered as a U.S. company in early August, put itself on the map Aug. 25. That’s when its experts announced that nearly half of St. Jude’s heart devices were seriously vulnerable to hacking.
At the same time, Muddy Waters was betting that the manufacturer’s stock prices would drop, and St. Jude’s share price fell about 5 percent on Aug. 25 and 2.6 percent the next day. It has not recovered significantly.
At the time, St. Jude was in talks with Abbott about a merger, which is still expected to close by the end of the year.
Other researchers from the University of Michigan quickly questioned MedSec’s findings.
Typically, cyber researchers work directly with manufacturers to solve problems. That’s the route the FDA recommends.
Munir Mandviwalla, chair of the management information systems department at Temple’s Fox School of Business, said hackers have opened a new route. They sometimes spot a security flaw and approach companies seeking jobs on the basis of their hacking skills, he said.
“That’s still on the right side of being deviant,” Mandviwalla said.
But he said MedSec’s approach appeared to have crossed the line. “I don’t see a gray area,” he said.
Ethicists have mixed views on the disclosure.
They said the most important issue was whether MedSec and Muddy Waters’ warning about grave dangers was correct. They said it is too early to determine the safety of devices sold by St. Jude and others.
University of Chicago ethics professor John Paul Rollert said MedSec and Muddy Waters had a basic conflict of interest if they expected to make money from the deal.
“If a conflicted person makes a claim to me, it doesn’t mean he’s wrong,” Rollert said, but he added that “everybody has a reason to take that claim with a grain of salt.”
Miccarelli said he was invited to join the board by fellow member Robert Bryan, a friend from their days at the University of Pennsylvania, “to offer insight on public policy and military matters.” Miccarelli has served in the Army and reserves since 1999.
The warnings over hacking were not the only issue St. Jude faced recently.
Two weeks ago, it announced that nearly 350,000 of its defibrillators may be prone to early battery failure. There was no suggestion that it was related to hacking.
The FDA said two people died after batteries failed in St. Jude products.
St. Jude also said it was setting up a board “to maintain and enhance cyber security and patient safety.”
Miccarelli said he had a clear stake in the dispute.
“I personally have a close family friend with an implanted medical device from St. Jude,” he said. “And as such I certainly want to know if they could be in danger.”