STJ ST. Jude Medical, Inc.

By Ezequiel Minaya 

St. Jude Medical Inc. on Friday denied allegations made by a research firm that its pacemakers and other heart devices were vulnerable to hacking and other cybersecurity threats.

"St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions," the company said Friday.

The medical-device maker's comments follow a report by Muddy Waters Capital LLC, which is known for shorting stocks, or betting that a company's share price will fall. Muddy Waters has said it has a short position in St. Jude.

In its report, Muddy Waters said it had seen demonstrations of cyberattacks against St. Jude devices, citing the work of cybersecurity startup MedSec. A call seeking a response from a Muddy Waters representative on St. Jude's comments wasn't immediately returned.

After the release of the Muddy Waters report on Thursday, St. Jude's stock slipped 5% and fell an additional 2.6% Friday before the medical-device maker issued its response.

Following the St. Jude statement, the company's stock ended the day at $78.01, up 19 cents from its close Thursday.

"We conclude that the report is false and misleading," St. Jude officials said.

In its report, Muddy Waters claims that St. Jude's heart devices, such as its defibrillators and pacemakers, are vulnerable to two types of cyberattacks: one in which the device's system is "crashed" and a second in which the battery of the device is drained.

Muddy Waters said that the vulnerable heart devices represented about 46% of St. Jude's total 2015 revenue of $5.54 billion. The firm added that even without a recall of devices "the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients."

St. Jude, in its defense, said it has worked with various experts and regulators involved in cybersecurity to build safeguards into its devices. "The flawed test methodology on outdated software demonstrates fundamental lack of understanding of medical device technology," St. Jude said of the Muddy Waters report.

St. Jude also said Muddy Waters's battery-draining claims amounted to exaggerations because an attack would require a hacker to be within 7 feet of a device for several days to have a chance to be successful.

"In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients," the company said.

The St. Paul, Minn.,-based St. Jude is in the process of getting bought by Illinois-based Abbott Laboratories in a cash-and-stock deal valued at $25 billion. An Abbott representative was unavailable for comment Friday.

Write to Ezequiel Minaya at ezequiel.minaya@wsj.com

(END) Dow Jones Newswires

August 26, 2016 17:37 ET (21:37 GMT)

Copyright (c) 2016 Dow Jones & Company, Inc.