St. Jude Class Action Lawsuit Filed Over Pacemaker Security Risks

A class action lawsuit has been filed over problems with St. Jude pacemakers and other implantable heart devices, which allegedly contain security risks that could allow hackers to remotely access the devices. 

The complaint (PDF) was filed by Clinton W. Ross Jr. in the U.S. District Court for the Central District of California on August 26, seeking class action status to represent all individuals who received certain St. Judge pacemaker or defibrillators with radiofrequency telemetry capability, which may not have proper security against outside electronic intrusion.

Ross was implanted with a St. Jude Quadra Assura CRT in November 2015, which is designed to allow his physician to remotely monitor the device. However, following a recent report that highlighted St. Jude pacemaker security risks, his doctor recommended that the use of the remote transmitter services be discontinued until the problems are resolved.

The St. Jude class action lawsuit came a day after a report was released by Muddy Waters Capital LLC, outlining findings by MedSec Holdings, which identified significant security vulnerabilities in St. Jude’s devices.

The report indicates that the company’s Merlin@home transmitter and Merlin.net PCN, which are used to transmit data from heart devices to physicians, “lacked even the most basic security defenses” such as encryption, anti-tampering devices and anti-debugging tools, which are used by other heart device manufacturers.

“Although the remote monitoring of cardiac devices provides clear benefits, it also introduces a major source of security risks,” the lawsuit warns. “For example, an implanted cardiac device that communicates wireless through RF (radiofrequency) is no longer ‘invisible’ since its presence can be remotely detected. Furthermore, a vulnerable communication channel in an implanted cardiac device with RF capabilities could allow unauthorized access to transmitted data by eavesdroppers. This could result in a major privacy breach, given the sensitive information stored and transmitted by these devices (including vital signals, diagnosed conditions, therapies, and a variety of personal data).”

Cybersecurity threats to the medical field have been a growing concern over the last few years as vulnerabilities to healthcare organizations record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The Department of Health and Human Services (DHHS) manager, Jason Lay, has called the exposed vulnerabilities in the medical field a danger. Lay claimed the possibility of hacks to medical devices are a very real possibility, stating hackers could potentially tamper with medical devices and use them to gain access to healthcare organizations health record systems.

Additionally, in a demonstration at the RSA security conference in San Francisco in 2012, researchers were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.

The FDA has been actively working on improving cybersecurity in the medical field since 2013, when the White House issued Executive Order 13636, which called on the public and private sectors to collectively strengthen the gap in cybersecurity infrastructure. Since the order, the FDA issued its first guidance in October 2014, recommending medical device manufactures to incorporate strong anti-hack programs during the design stages of device development.

The agency proposed a second guidance on January 15, outlining important steps medical device manufacturers should take to proactively plan for and to assess vulnerabilities, to keep patients safe and better protect public health.