St. Jude Sued Over Security of Connected Pacemakers

Class Action Litigation Report® is a one-stop resource for tracking the most important class-action and multi-party litigation across the nation, and across all subjects with particular focus on...

By Julie A. Steinberg

Aug. 30 — St. Jude Medical was hit with a would-be class suit over its implantable cardiac devices, in the wake of a report that the pacemakers' home monitoring systems have serious cybersecurity vulnerabilities ( Ross v. St. Jude Medical, Inc., C.D. Cal., No. 16-6506, complaint 8/26/16 ).

St. Jude Medical, Inc. and related companies failed to protect device recipients from potential hackers, Illinois resident Clinton W. Ross Jr., alleges in an Aug. 26 complaint in the U.S. District Court for the Central District of California.

“We want to emphasize that patient safety is and has always been our top priority,” St. Jude said in a statement sent to Bloomberg BNA. “In this situation, we believe there are numerous inaccuracies in the complaint.”

Implantable cardiac devices like pacemakers and defibrillators monitor and correct heart conditions. Historically, patients had to see their doctors several times a year for monitoring.

Networking functions, also known as telemetry, allow remote collection via the Internet of the same information that would be collected during a physician office visit.

This offers convenience and cost savings, but also introduces security risks, the complaint said.

In August, short-seller Muddy Waters Capital LLC reported findings by cybersecurity company MedSec Holdings Ltd. regarding severe security vulnerabilities in St. Jude cardiac devices with telemetry capabilities, the complaint said.

According to the complaint, security flaws in St. Jude systems render patients susceptible to attacks including a “crash attack” that could remotely disable the device, or a “battery drain attack.”

Ross, who has a St. Jude Quadra Assura defibrillator, says he—at his physician's recommendation—unplugged the remote unit and doesn't intend to resume use of the remote features until the security issues are resolved.

Ross raises warranty, fraudulent concealment, negligence and unjust enrichment claims on behalf of a national class and an Illinois class of patients with implantable pacemakers and defibrillators.

However, St. Jude said in a statement that a video by Muddy Waters actually shows the device working properly.

“The video clearly shows a security feature, not a flaw,” Phil Ebeling, St. Jude’s chief technology officer, said in the statement. “The pacemaker is actually functioning as designed. If attacked, our pacemakers place themselves into a ‘safe’ mode to ensure the device continues to work.”

The threat of medical device hacking isn't new.

In 2013, former Vice President Dick Cheney said he had disconnected his defibrillator from the internet because of concerns about a hack.

Arias, Sanguinetti, Stahle & Torrijos LLP represents the plaintiff.

—With Assistance from Michelle Fay Cortez

To contact the reporter on this story: Julie A. Steinberg in Washington at

To contact the editors responsible for this story: Steven Patrick at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.