St. Jude Class Action Lawsuit Filed Over Pacemaker Security Risks

A class action lawsuit has been filed over problems with St. Jude pacemakers and other implantable heart devices, which allegedly contain security risks that could allow hackers to remotely access the devices. 

The complaint (PDF) was filed by Clinton W. Ross Jr. in the U.S. District Court for the Central District of California on August 26, seeking class action status to represent all individuals who received certain St. Judge pacemaker or defibrillators with radiofrequency telemetry capability, which may not have proper security against outside electronic intrusion.

Ross was implanted with a St. Jude Quadra Assura CRT in November 2015, which is designed to allow his physician to remotely monitor the device. However, following a recent report that highlighted St. Jude pacemaker security risks, his doctor recommended that the use of the remote transmitter services be discontinued until the problems are resolved.

Did You Know?

AT&T Data Breach Impacts Millions of Customers

More than 73 million customers of AT&T may have had their names, addresses, phone numbers, Social Security numbers and other information released on the dark web due to a massive AT&T data breach. Lawsuits are being pursued to obtain financial compensation.

Learn More

The St. Jude class action lawsuit came a day after a report was released by Muddy Waters Capital LLC, outlining findings by MedSec Holdings, which identified significant security vulnerabilities in St. Jude’s devices.

The report indicates that the company’s Merlin@home transmitter and Merlin.net PCN, which are used to transmit data from heart devices to physicians, “lacked even the most basic security defenses” such as encryption, anti-tampering devices and anti-debugging tools, which are used by other heart device manufacturers.

“Although the remote monitoring of cardiac devices provides clear benefits, it also introduces a major source of security risks,” the lawsuit warns. “For example, an implanted cardiac device that communicates wireless through RF (radiofrequency) is no longer ‘invisible’ since its presence can be remotely detected. Furthermore, a vulnerable communication channel in an implanted cardiac device with RF capabilities could allow unauthorized access to transmitted data by eavesdroppers. This could result in a major privacy breach, given the sensitive information stored and transmitted by these devices (including vital signals, diagnosed conditions, therapies, and a variety of personal data).”

Cybersecurity threats to the medical field have been a growing concern over the last few years as vulnerabilities to healthcare organizations record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The Department of Health and Human Services (DHHS) manager, Jason Lay, has called the exposed vulnerabilities in the medical field a danger. Lay claimed the possibility of hacks to medical devices are a very real possibility, stating hackers could potentially tamper with medical devices and use them to gain access to healthcare organizations health record systems.

Additionally, in a demonstration at the RSA security conference in San Francisco in 2012, researchers were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.

The FDA has been actively working on improving cybersecurity in the medical field since 2013, when the White House issued Executive Order 13636, which called on the public and private sectors to collectively strengthen the gap in cybersecurity infrastructure. Since the order, the FDA issued its first guidance in October 2014, recommending medical device manufactures to incorporate strong anti-hack programs during the design stages of device development.

The agency proposed a second guidance on January 15, outlining important steps medical device manufacturers should take to proactively plan for and to assess vulnerabilities, to keep patients safe and better protect public health.

3 Comments

  • WandaFebruary 15, 2021 at 6:30 pm

    2013 I really ceived a Saint Jude pacemaker it shocked me and my chest I’ll start jumping like a muscle it does it throughout the day it’s just been miserable it makes my left hand jump whenever it goes to shock I’ll be doing some thing spilling stuff on me it’s just been a bad thing Are you find myself getting tired so easily I got it done in Fort Worth Texas and I reside in Paragould Arkansas an[Show More]2013 I really ceived a Saint Jude pacemaker it shocked me and my chest I’ll start jumping like a muscle it does it throughout the day it’s just been miserable it makes my left hand jump whenever it goes to shock I’ll be doing some thing spilling stuff on me it’s just been a bad thing Are you find myself getting tired so easily I got it done in Fort Worth Texas and I reside in Paragould Arkansas and when I go to get a pacemaker reading they can’t do a reading it’s all jumbled up is anybody else have problems like this

  • SHARONOctober 26, 2019 at 2:17 am

    I had a St. Jude pacemaker installed in March 2011. I would tell my doctor that the pacemaker was defective. It was shocking me and giving me mini-shocks throughout the day. Plus, the device would heat up and get hot. It was miserable. I received a warning letter from St. Jude saying that .2% of pacemakers like mine, were defective and could go dead at anytime. That gave me the leverage to [Show More]I had a St. Jude pacemaker installed in March 2011. I would tell my doctor that the pacemaker was defective. It was shocking me and giving me mini-shocks throughout the day. Plus, the device would heat up and get hot. It was miserable. I received a warning letter from St. Jude saying that .2% of pacemakers like mine, were defective and could go dead at anytime. That gave me the leverage to negotiate with my doctor and get a new pacemaker, but it was the same model and was installed a year ago.

  • DewayneMay 6, 2017 at 3:12 am

    I have had a merlin monitor since 2012. In 2013 had to have pacemaker defibulator replaced after x13 shocks, no explanation as to why I was shocked. Had another replacement 2017 due to battery recall, I'm 100% dependant on my device. Was recently given a wireless merlin monitor.

Share Your Comments

I authorize the above comments be posted on this page*

Want your comments reviewed by a lawyer?

To have an attorney review your comments and contact you about a potential case, provide your contact information below. This will not be published.

NOTE: Providing information for review by an attorney does not form an attorney-client relationship.

This field is for validation purposes and should be left unchanged.

More Top Stories

Leadership Development Committee for Suboxone Dental Injury Lawyers Established in Federal MDL
Leadership Development Committee for Suboxone Dental Injury Lawyers Established in Federal MDL (Posted yesterday)

The U.S. District Judge presiding over all Suboxone lawsuits has created a mentorship program to use the litigation to provide some attorneys an opportunity to gain experience in handling complex federal multidistrict litigations.

Gilead Settlement Resolves 2,625 HIV Drug Lawsuits Pending in Federal Courts for $40M
Gilead Settlement Resolves 2,625 HIV Drug Lawsuits Pending in Federal Courts for $40M (Posted 3 days ago)

Gilead says it will pay $40 million to resolve HIV drug lawsuits over Truvada, Atripla, Viread, Stribild and Complera pending in the federal court system, involving claims that the the company sat on safer formulations of the drugs for years to increase profits.