An Outside View on St. Jude Device Cyberattack Woes

Print Email

St. Jude Medical Inc. (NYSE: STJ) has found itself in the center of a storm. After a short seller report warned that its pacemakers could be hacked, ultimately posing a threat to its merger with Abbott Laboratories (NYSE: ABT), there may be some light at the end of tunnel here that could calm investor fears. More importantly, perhaps they might calm the fears of the thousands and thousands of people who actually have these devices inside of the bodies.

St. Jude Medical did issue a press release aimed at responding to points in the Muddy Waters report. That report looked at older Merlin devices not upgraded with current software. The company noted that battery depletion could only be achieved over a seven-foot range and would require the patient to be in that seven-foot range for hundreds of hours. Effectively, this would make this implied threat impractical as the report was said to have noted a 50-foot range. Another issue addressed was that the screenshot used in the report shown as evidence that someone had successfully crashed a St. Jude device was actually a screenshot of a device pacing properly.

Also note that a Credit Suisse research report has dispelled some of the concerns. Still, the firm has only a Neutral rating and $81 price target. It spoke with a software consultant who sees this as a manageable fix, if it is even needed. Credit Suisse said:

We reviewed the report with a developer of software used in drugs/devices. The developer believed that if the deficiencies listed in the report (unprotected software, lack of a layered defense and easy availability of device firmware) had not already been addressed by subsequent software updates, it was likely that all could be fixed via a software update in approximately 3 months with a team of 5-10 (software updates affecting cybersecurity but not changing the way that devices treat patients can be pushed to devices as long as the software testing procedures are documented by the company and the FDA is notified).

Credit Suisse did not rule out customers looking elsewhere, but their best guess at this point is that St. Jude’s market share in the cardiac rhythm management market is not likely to be meaningfully affected. They also do not expect an impact on the Abbott merger.

Oppenheimer no longer rates St. Jude due to the Abbott merger, but it also addressed the situation as follows:

St. Jude notes that its system has an upgrade process that allows Merlin@home users to get security enhancements pushed to them when available and contends there were flaws in the analysis performed on the devices in the report. In our discussion with St. Jude on Friday, the company highlighted that it works with Homeland Security and the FDA and is in continued communication with the agencies. The company also noted that the network contains data that allows physicians to make treatment decisions, but doesn’t allow for remote control of implantable devices.

One of the issues in determining whether there is a serious risk in a merger is by the arbitrage spread. That widened out, but Abbott has made no formal statement nor has it indicated any change at all to its merger plans. That may or may not change, but so far the situation remains static.

St. Jude shares were last seen trading up 0.7% at $78.53 on Monday, with a 52-week range of $48.83 to $84.00. Its shares were up at $82.00 shortly before the Muddy Waters report muddied St. Jude’s waters.

Abbott Laboratories was up 1.2% at $43.48, with a 52-week range of $36.00 to $46.63.