The St. Jude Medical and Abbott Laboratories Acquisition Timeline
- April 28, 2016: Abbott Laboratories announces its agreement to acquire St. Jude Medical for about $25 billion.
- August 26, 2016: Muddy Waters Capital, in conjunction with MedSec, warns about the cyber security weaknesses of St. Jude’s pacemakers.
- August 26, 2016: St. Jude, which is in the midst of selling itself to Abbott Laboratories, vehemently denies the reports. “Based on available information, we conclude that the report is false and misleading.”
- September 7, 2016: St. Jude Medical sues Muddy Waters and MedSec for defamation. St. Jude says the allegations are false and claims that Muddy Waters and MedSec are “intentionally disseminating false information”. St. Jude reiterates that the company “stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”
- October 24, 2016: Muddy Waters and MedSec respond to the St. Jude complaint, defending their research and First Amendment rights. The response also includes expert opinion from Bishop Fox, a cyber security consulting firm, that validates many of the serious concerns brought forward by Muddy Waters and MedSec. Bishop Fox concludes that the security of St. Jude’s “implantable cardiac device ecosystem . . . . do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients.” Furthermore: “The wireless protocol used for communication amongst St. Jude Medical cardiac devices has serious security vulnerabilities that make it possible to convert Merlin@home devices into weapons capable of disabling therapeutic care . . . “
- January 4, 2017: Abbott Laboratories closes its acquisition of St. Jude Medical for about $25 billion.
- January 9, 2017: The Food & Drug Administration and the Department of Homeland Security confirm Muddy Waters’ and MedSec’s findings and issue alerts about the implanted devices made by St. Jude Medical. Simultaneously in connection with the government’s conclusion, St. Jude acknowledges weaknesses in the Merlin@home system and issues a software patch to patch cyber security risks.
- January 9, 2017: Muddy Waters says that the announced fixes do not appear to address the larger problems, including the existence of a universal code that could allow hackers to control the implants.
- January 9, 2017: Matthew Green, an assistant professor for computer science at Johns Hopkins University and a part of the Bishop Fox team, called one vulnerability "probably the most impactful vulnerability I've ever seen."
- February 7, 2017: The Department of Homeland Security updates its cyber security alert with respect to St. Jude Medical’s pacemakers and defibrillators. In sum, St. Jude (now part of Abbott Labs) acknowledges that more models of implantable medical devices than previously disclosed are subject to cyber security threats.
After the merger closed:
- The Chairman of St. Jude Medical stood to take home +$500 million.
- The Chief Executive Officer of St. Jude Medical stood to take home $35 million.