The St. Jude Medical and Abbott Laboratories Acquisition Timeline

• April 28, 2016: Abbott Laboratories announces its agreement to acquire St. Jude Medical for about $25 billion.
• August 26, 2016: Muddy Waters Capital, in conjunction with MedSec, warns about the cyber security weaknesses of St. Jude’s pacemakers.
• August 26, 2016: St. Jude, which is in the midst of selling itself to Abbott Laboratories, vehemently denies the reports. “Based on available information, we conclude that the report is false and misleading.”
• September 7, 2016:  St. Jude Medical sues Muddy Waters and MedSec for defamation. St. Jude says the allegations are false and claims that Muddy Waters and MedSec are “intentionally disseminating false information”. St. Jude reiterates that the company “stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”
• October 24, 2016: Muddy Waters and MedSec respond to the St. Jude complaint, defending their research and First Amendment rights. The response also includes expert opinion from Bishop Fox, a cyber security consulting firm, that validates many of the serious concerns brought forward by Muddy Waters and MedSec. Bishop Fox concludes that the security of St. Jude’s “implantable cardiac device ecosystem . . . . do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients.” Furthermore: “The wireless protocol used for communication amongst St. Jude Medical cardiac devices has serious security vulnerabilities that make it possible to convert Merlin@home devices into weapons capable of disabling therapeutic care  . . . “  
• January 4, 2017:  Abbott Laboratories closes its acquisition of St. Jude Medical for about $25 billion.
• January 9, 2017: The Food & Drug Administration and the Department of Homeland Security confirm Muddy Waters’ and MedSec’s findings and issue alerts about the implanted devices made by St. Jude Medical. Simultaneously in connection with the government’s conclusion, St. Jude acknowledges weaknesses in the Merlin@home system and issues a software patch to patch cyber security risks.
• January 9, 2017: Muddy Waters says that the announced fixes do not appear to address the larger problems, including the existence of a universal code that could allow hackers to control the implants.
• January 9, 2017:  Matthew Green, an assistant professor for computer science at Johns Hopkins University and a part of the Bishop Fox team, called one vulnerability "probably the most impactful vulnerability I've ever seen."
• February 7, 2017: The Department of Homeland Security updates its cyber security alert with respect to St. Jude Medical’s pacemakers and defibrillators. In sum, St. Jude (now part of Abbott Labs) acknowledges that more models of implantable medical devices than previously disclosed are subject to cyber security threats.

After the merger closed:

• The Chairman of St. Jude Medical stood to take home +$500 million.
• The Chief Executive Officer of St. Jude Medical stood to take home $35 million.

SHOCK-ON-T

EMERGENCY SHOCK

VIBRATE

DISABLE TACHY

Q: Why did Muddy Waters and MedSec depart from standard cyber security disclosure protocol with respect to their research on St. Jude Medical?

A: Muddy Waters and MedSec were alarmed by the risks posed by flaws in St. Jude’s medical devices. Muddy Waters and MedSec did not believe St. Jude would take action to remediate the problems. For those reasons, they decided to bring the issue to the public’s attention to ensure that St. Jude Medical responded appropriately and with urgency.

Background

Muddy Waters worked with MedSec, a cyber-security research company formed exclusively to serve the health care industry, to analyze and form its opinion on St. Jude Medical and the company’s implantable cardiac devices.

MedSec had contacted Muddy Waters after largely completing an 18-month cyber security assessment of major manufacturers’ pacemakers and defibrillators. MedSec’s research revealed vulnerabilities with St. Jude Medical’s Merlin@home transmitter that, if exploited, could allow an unauthorized user remote access to a patient’s implanted cardiac device.  Once St. Jude filed its lawsuit, Muddy Waters brought in independent cyber-security experts to review the findings.

While vulnerabilities were discovered in implantable cardiac devices by a number of manufacturers, the risks posed by St. Jude Medical devices were by far the most concerning, because St. Jude Medical devices, unlike the devices of other manufacturers, relied on wireless transmissions.

MedSec and Muddy Waters believe that St. Jude Medical has known about cyber security problems in its products since at least 2013. Furthermore, in 2014, St. Jude’s cardiac devices were the subject of Department of Homeland Security investigation into cybersecurity flaws.  Yet, to the knowledge of Muddy Waters and MedSec, very little action was taken by the company.

For these reasons, MedSec and Muddy Waters decided to make the major conclusions of the cyber-security findings public; all sensitive and detailed information was stripped from the public report to protect consumers. This approach represents a departure from standard cyber security protocol but was deemed necessary in order to bring the public’s attention to the issue and ensure that St. Jude Medical responded appropriately and with urgency.