Heart Implant Devices Can Be Hacked to Steal Data or Harm Patients, Claims Lawsuit

Wednesday, August 31, 2016
(graphic: Michael Travers, Getty Images)

By Don Debenedictis, Courthouse News


LOS ANGELES (CN) — In a class action that sounds like a Tom Clancy novel, a patient claims that pacemakers and other implanted heart devices sold by St. Jude Medical can be attacked by hackers to steal personal information and even harm patients.


Clinton W. Ross Jr. claims that several lines of St. Jude's heart-regulating devices designed to be monitored remotely with in-home equipment, rather than during in-person visits to the doctor, lack "even the most basic security defenses" to safeguard their computer communications from outsiders.


"St. Jude's failure to protect these important sensitive network credentials reveals a complete lack of any focus on security and provides a potential avenue for obtaining unauthorized access," Ross says in his Aug. 26 federal complaint.


The security flaws not only put patients' medical and personal information at risk, Ross says, but the pacemakers, defibrillators and heart resynchronizers are vulnerable to attack "in ways previously not possible."


For instance, "a bad actor could monitor and modify the implant without necessarily being close to the victim," Ross says. "Such attacks can put at risk the safety of the patient with the implantable device, with fatal consequences in certain cases."


Implanted cardiac devices that talk to special units on patients' nightstands have become popular in the past 10 years for their convenience. St. Jude's devices use radio telemetry to communicate with home units called Merlin@home transmitters.


Ross bought a Merlin@home transmitter to monitor his St. Jude cardiac resynchronization therapy defibrillator in November 2015. Based on his doctor's recommendation, he says, he unplugged the transmitter after the security concerns became known.


The concerns became public on Thursday, when a stock short-sale firm, Muddy Waters Capital, released a 33-page report claiming that hundreds of thousands of St. Jude's home-monitored cardiac devices have "severe security vulnerabilities." Ross filed his class action the next day.


Citing the Muddy Waters report, he says an investigation by cyber security firm MedSec Holdings "demonstrated at least three ways to obtain 'root access' to the Merlin@home transmitter," and two ways — "with very little effort" — to deliver "potentially catastrophic attacks" against a cardiac device.


An attack could slowly drain the device's battery over a few weeks. A "crash attack" could use telemetry signals to put a pacemaker or "into a state of malfunction," making it ignore signals or queries from the Merlin transmitter.


Or a crash attack could make a device speed up a patient's heart enough to cause "severe adverse health consequences," the complaint states.


St. Jude did not respond to a request for comment. But on Friday, the Milwaukee-based company issued a long statement blasting the Muddy Waters and MedSec claims as "false and misleading."


St. Jude said its devices regularly update their software automatically and that the software has been tested, audited and certified by outside experts.


Ross seeks certification of two classes: a national one, and one of purchasers from Illinois, where he lives, and restitution and damages for breach of warranty, fraudulent concealment, negligence and unjust enrichment.


His lead attorney Mike Arias, with Arias, Sanguinetti, Stahle & Torrijos, did not return a call seeking comment.


To Learn More:

Union Sues FDA over Censored Report on Heart Defibrillator (by Noel Brinkerhoff, AllGov)

Patients Not Allowed Access to Data Collected by Implants in their Bodies (by Noel Brinkerhoff, AllGov)

Majority of Implanted Medical Devices Never Safety Tested (by David Wallechinsky and Noel Brinkerhoff, AllGov)


Leave a comment