St. Jude Medical Snaps Back at Short-Seller Muddy Waters, Says Alleged Merlin@Home ‘Crash’ is Actually a Security Feature

August 29 Video Shows a St. Jude Medical Device Security Feature, Not a Flaw

ST. PAUL, Minn.--(BUSINESS WIRE)--St. Jude Medical, Inc. (NYSE:STJ), a global medical device company, today issued the following statement:

“The allegations made by Muddy Waters and MedSec are irresponsible, misleading and unnecessarily frightening patients”

Patients are our highest priority. St. Jude Medical takes our commitment to patients very seriously because we understand that the 20,000 patients around the world who receive our lifesaving and life improving therapies –– every business day –– count on us to always put them first. And we do.

“The allegations made by Muddy Waters and MedSec are irresponsible, misleading and unnecessarily frightening patients,” said Michael T. Rousseau President and chief executive officer at St. Jude Medical. “We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices. This behavior speaks volumes about the profit-seeking motives and integrity of these organizations.”

Further demonstrating their fundamental lack of understanding of St. Jude Medical’s medical device technology, Muddy Waters Capital and MedSec presented a video yesterday that actually demonstrated the Radio Frequency (RF) Telemetry Lockout security feature of our pacemakers – not a “crash” as they claimed. The video also confirms that the device’s clinical functions are operating as expected under these conditions.

“The video clearly shows a security feature, not a flaw. The pacemaker is actually functioning as designed. If attacked, our pacemakers place themselves into a “safe” mode to ensure the device continues to work, which further proves our commitment to safety and security,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.

We have safeguards in place to mitigate so-called “crash attacks”

St. Jude Medical devices are designed to go into a life-sustaining “safe” mode, as a safeguard, if unexpected conditions are detected.

These safeguards will put the device into safe mode where the preprogrammed pacing and defibrillation functions of the implantable medical devices revert to safe settings. In addition, some of our devices, by design, disable further RF communications for a period of time, which may appear to the untrained eye as having rendered the device disabled, although it continues to function.

As part of our commitment to continuous investment in our technology, St. Jude Medical devices have built-in measures to reduce the risk of unauthorized commands being issued to our implantable devices. In addition we have an ongoing focus to continually strengthen our security systems in the ever changing cybersecurity environment. For example:

• Access controls help protect the Merlin@home^™ operating system from unauthorized access
• The lack of built-in programming commands in Merlin@home help ensure that therapy is provided through the implanted device only at the direction of the physician
• Proprietary implantable medical device protocols protect communications with the implantable device
• Encryption of session authentication between the implantable medical device and Merlin@home further enhances device security
• The limited Medical Implant Communication Services (MICS) wireless range restricts accessibility of communications with the implantable device

“Patient safety is and has always been our top priority,” said Mark Carlson, M.D., vice president and chief medical officer at St. Jude Medical. “Our devices are safe and we have taken and continue to take appropriate steps to address the dynamic challenges of cyber security. We do this because it is the responsible thing to do for the patients and physicians who rely on our devices.”

About St. Jude Medical

St. Jude Medical is a leading global medical device manufacturer and is dedicated to transforming the treatment of some of the world's most expensive epidemic diseases. The company does this by developing cost-effective medical technologies that save and improve lives of patients around the world.

Headquartered in St. Paul, Minn., St. Jude Medical employs approximately 18,000 people worldwide and has five major areas of focus that include heart failure, atrial fibrillation, neuromodulation, traditional cardiac rhythm management and cardiovascular. For more information, please visit sjm.com or follow us on Twitter @SJM_Media.

Forward-Looking Statements

This news release contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995 that involve risks and uncertainties. Such forward-looking statements include the expectations, plans and prospects for the company, including potential clinical successes, reimbursement strategies, anticipated regulatory approvals and future product launches, and projected revenues, margins, earnings and market shares. The statements made by the company are based upon management’s current expectations and are subject to certain risks and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. These risks and uncertainties include market conditions and other factors beyond the company’s control and the risk factors and other cautionary statements described in the company’s filings with the SEC, including those described in the Risk Factors and Cautionary Statements sections of the company’s Annual Report on Form 10-K for the fiscal year ended January 2, 2016 and Quarterly Report on Form 10-Q for the fiscal quarter ended July 2, 2016. The company does not intend to update these statements and undertakes no duty to any person to provide any such update under any circumstance.