St. Jude Merlin@home Hacker Controversy Sparks Class Action Lawsuit

Published on September 2, 2016 by Sandy Liebhard

A recipient of a St. Jude defibrillator has filed a new class action lawsuit, following allegations that some of the company’s implantable cardiac devices are vulnerable to hacking. The complaint, which was filed last Friday in the U.S. District Court, Central District of California, seeks to benefit recipients of certain St. Judge devices that could be susceptible to cyberattacks.

The complaint was filed one day after the Muddy Waters investor group issued a report alleging that  St. Jude’s implantable cardiac devices, including pacemakers, defibrillators and cardiac resynchronization devices, were easy prey for hackers, especially those bundled with the  Merlin@home  remote transmitter system. According to the 33-page report, the implants are vulnerable to two types of cyberattacks: a “crash” attack that causes the devices to malfunction and a “battery drain” attack that could be harmful to device-dependent users.

Muddy Waters announced the same day that it had taken a short position in St. Jude stock, which would allow it to benefit financially should shares decline in value. While the company has vehemently denied the hacking allegations, St. Jude’s stock saw its biggest single-day loss in seven months following the issuance of the Muddy Waters report.

Lawsuit Could be First of Many

The new class action lawsuit lists dozens of St. Jude devices that are allegedly susceptible to cyberattacks. The lead plaintiff received a St. Jude Quadra Assura cardiac resynchronization therapy defibrillator in November 2015, which, until recently, was remotely monitored via the Merlin@home transmitter. At the time the time of the surgery, he was told that remote monitoring was safe and secure, and would not in any way affect the performance of the implant.

Since learning of the alleged security issues, the plaintiff has stopped using the Merlin@home transmitter on the advice of his physician. He claims that he never would have undergone surgery with the Quadra Assura had he been aware of the “severe security vulnerabilities” alleged in the Muddy Waters’ report.

This appears to be the first product liability lawsuit filed against St. Jude since the Muddy Waters announcement. However, it may not be the last. The investor group has predicted that the affected devices will ultimately need to be recalled and remediated, a process which Muddy Waters says could reduce St. Jude’s revenues by as much as 50% over the next two years. The group also predicted that awards from any products liability litigation related to the controversy could cost St. Jude as much as $64 billion.