Medical technology corporation St. Jude Medical (STJ) has filed a lawsuit against a University of Chicago Medical Center doctor, alleging that he was involved in an attempt to manipulate the company's stock for financial gain.
Dr. Hemal Nayak, a University of Chicago assistant professor and electrophysiologist, is singled out by plaintiff STJ for allegedly conspiring with companies MedSec, where he is a board member, and Muddy Waters Research LLC to falsely suggest critical security issues in STJ’s products. Nayak also published a letter using University letterhead stating his concerns about STJ devices.
Nayak obtained a number of St. Jude’s Cardiac Rhythm Management (CRM) devices, including pacemakers and implanted defibrillators, for MedSec to use in a research program that claims to have found significant cybersecurity vulnerabilities in the devices.
Following the research, MedSec brought its findings to financial research firm Muddy Waters Research LLC, which published a report on August 25 describing the vulnerabilities. The report also predicted that “There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years.” As a result, Muddy Waters revealed that it would be short selling STJ stock, through which they would profit off of a decrease in the value of the company’s stock. STJ’s stock dropped more than four points in a single day after the report’s publication.
To accompany the report, Nayak published a letter, using University of Chicago letterhead, warning his patients and fellow doctors about the vulnerabilities MedSec apparently uncovered. The letter advises patients with STJ implants to unplug their home monitoring systems, which send information recorded by their CRM device to their physicians, and states that Nayak no longer plans to implant STJ devices until the vulnerabilities are addressed.
The Muddy Waters report notes that Nayak has an “immaterial equity interest” in MedSec, indicating his partial ownership of the company as a board member. The report was also updated from its original version to include a statement that “Nayak speaks for himself, and not his employers,” referring to the University.
After the report’s publication, STJ published a response defending its products and pointing out that the vulnerabilities addressed in the report are largely exaggerated or speculative. STJ’s response noted that an attacker would need to be continuously within seven feet of a targeted implant once it was actually within an individual in order to drain its battery as demonstrated, and that the device would give a vibratory warning before the battery was fully drained. The response also notes that the signs of a supposed crash documented by MedSec researchers indicate only that the device was not connected to any living tissue, but was otherwise functioning normally.
Within two weeks of the publication of the Muddy Waters report, STJ filed a legal complaint requesting a jury trial in the U.S. District Court for the state of Minnesota. The lawsuit alleges that, rather than expressing genuine concern for the safety of St. Jude’s patients, Muddy Waters, MedSec, and Nayak intended primarily to manipulate financial markets for financial gain. According to the complaint, “Defendants undertook their carefully orchestrated scheme with the express intent to interfere with efficient public markets by intentionally disseminating false information in order to depress the value of St. Jude’s stock and profit from such depression in value by implementing a short-selling scheme.” The case is currently ongoing.
St. Jude’s lawsuit charges Nayak and the other defendants with four counts, including defamation, violating state and federal business practices law, and civil conspiracy. The list of defendants also include Muddy Waters founder Carson Block and MedSec CEO Justine Bone.
Multiple independent entities, including the FDA and a team of researchers at the University of Michigan, have since released their own analyses of the Muddy Waters report. Both the FDA and the University of Michigan researchers concluded that the danger to patients from the possible vulnerabilities described in the report does not outweigh the advantages of the affected devices and reporting systems, according to STJ’s legal complaint. As cited in the complaint, “the FDA advised that at this time ‘patients should continue to use their devices as instructed and not change any implanted device’ and that ‘if a patient has a question or concern they should talk with their doctor.’”
STJ and the lawyers representing both the plaintiff and defendants did not respond to requests for comment, and Nayak declined to comment.