Medical equipment maker St Jude Medical has filed a case against security research firm MedSec and investment firm Muddy Waters Capital after the pair combined to short St Jude stock by claiming that some of its equipment had security vulnerabilities.
St Jude, which is based in St Paul, Minnesota, filed the case in the United States District Court for the District of Minnesota, over what it claimed were false statements, false advertising, conspiracy and the related manipulation of the public markets in connection with its implantable cardiac management devices.
As iTWire reported, researchers from the Miami-based MedSec discovered that defibrillators and pacemakers made by St Jude had what they claimed were vulnerabilities in the software that could endanger lives.
The MedSec staffers approached Muddy Waters and sought a deal: they would provide information about the vulnerabilities which Muddy Waters could disseminate to its investors, while it shorted the stock.
The stock fell 4.4% on 26 August and both firms made a killing.
The usual practice of security researchers is to inform a company when flaws are found in its products and allow 90 days for them to be fixed. If that does not happen, then many researchers post these flaws to one of the security mailing lists in order to shame the company into fixing the flaws.
Or researchers sell their discoveries to companies that pay for such information; some sell the details of flaws on the grey market.
What MedSec and Muddy Waters did was a first.
In a media release issued on Wednesday, St Jude Medical said: "The lawsuit filed today alleges that Muddy Waters, MedSec and the other defendants intentionally disseminated false and misleading information in order to lower the value of St Jude Medical’s stock and to wrongfully profit from a drop in share value through a short-selling scheme.
"The company’s complaint refers to the Muddy Waters and MedSec repeated false allegations that began on 25 August about St Jude Medical’s implantable cardiac devices. As further explained in the company’s complaint, the defendants’ financially self-interested attempts to mislead doctors and patients demonstrate a total disregard for the patients whose lives depend on their cardiac management devices.
"The complaint also cites a third-party assessment of the Muddy Waters Report by University of Michigan researchers who found that 'the evidence does not support their conclusions… [the University of Michigan researchers] were able to generate the reported conditions without there being a security issue'.
"In addition, an electrophysiologist and cardiologist from the University of Michigan also stated that 'given the significant benefits from home monitoring, patients should continue to use their prescribed cardiac devices' at this time."
In response, Muddy Waters told the Minneapolis-based Star Tribune newspaper by email: "It is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticise a company that puts its profits before its patients."
MedSec has not made any public comment on the development as yet.