A filed lawsuit claims that several lines of St. Jude's heart-regulating devices designed to be monitored remotely with in-home equipment, rather than during in-person visits to the doctor, lack "even the most basic security defenses" to safeguard their computer communications from outsiders. Pacemakers, defibrillators, and heart resynchronizers devices sold by St. Jude Medical can be attacked by hackers to steal personal information and even harm patients.
An attack could slowly drain the device's battery over a few weeks. A "crash attack" could use telemetry signals to put a pacemaker or "into a state of malfunction," making it ignore signals or queries from the Merlin transmitter. Or a crash attack could make a device speed up a patient's heart enough to cause "severe adverse health consequences".
The lawsuit seeks certification of a Class of all person implanted with a “pacemaker, implantable cardioverter-defibrillator, and cardiac resynchronization therapy pacemaker and/or defibrillator with radiofrequency (‘RF’) telemetry capability that was designed, manufactured, marketed, distributed or sold by the Defendants.”
The class action asks for restitution and damages for all Class Members.
The St. Jude Medical Unsecure Pacemaker Class Action Lawsuit is Clinton W. Ross Jr. v. St. Jude Medical Inc., et al., Case No. 2:16-cv-06465, in the U.S. District Court for the Central District of California.