Minnesota Pacemaker Manufacturer Faces Class Action for Cyberattack Risks

Written by: Sam Crochet, Esq.

St. Jude Medical Inc., a producer of remote-access pacemakers and implantable defibrillators, is under intense scrutiny for what cybersecurity researchers have deemed a negligent risk of attack. A California patient has filed a federal class action suit alleging the manufacturer failed to provide adequate cybersecurity controls for its implants. St. Jude Medical has denied the allegations and insists it has appropriate security measures in place. While ransomware attacks of online hospital networks and data breaches to access medical records have become common and well publicized, a handful of cybersecurity attorneys and experts are unsurprised by the risks associated with the St. Jude Medical case. Examples of these cyber risks might include “crash attacks” resulting in the malfunctioning of a pacemaker or insulin pump due to intentional outside interference. Others include blockage, or even altering, of real-time data transfer between a provider and a patient’s “wearable” device (i.e. EKG necklace or ultrasound monitor).

It is critical for medical device manufacturers to follow the FDA guidelines throughout the product life cycle so they can reduce the risk of injury, stop crushing PR consequences, and avoid legal repercussions. Should cybersecurity risks result in bodily harm to patients, then manufacturers and providers could potentially face damages from negligence and product liability claims as well as obligations related to HIPAA and differing state reporting requirements depending on the circumstances. Of course, as seen with St. Jude Medical, bodily injury itself is not a prerequisite for litigation–which can be extremely costly and time consuming. Effective legal counsel can walk manufacturers through the FDA guidelines, provide proactive strategies to reduce the likelihood of attack, and advise of remedies to reduce exposure in case of attack.