(Adds analyst, interviews throughout)
By Ransdell Pierson and Jim Finkle
NEW YORK/BOSTON Sept 7 (Reuters) - St. Jude Medical Inc STJ.N on Wednesday sued short-selling firm Muddy Waters and cybersecurity company MedSec Holdings Ltd, saying they intentionally disseminated false information about its heart devices to manipulate its stock.
Muddy Waters, run by Carson Block, said in late August that St. Jude's pacemakers and defibrillators, which are used to regulate heart rhythm and treat cardiac arrest, had cybersecurity flaws that enabled them to be hacked and manipulated, with potentially fatal consequences. accusations that the devices are seriously flawed, based on research from start-up cybersecurity company MedSec, knocked St. Jude's shares back 10 percent on Aug. 25. Shares recovered to end that day down 5 percent and remain off by 3 percent.
St. Jude earlier this year agreed to be purchased by Abbott Inc for about $85 per share in cash and stock.
In the lawsuit, St. Jude said Block's statements were defamatory and false, and described the defendants as perpetrating a "willful and malicious scheme to manipulate the securities markets for their own financial windfall."
A spokesman for Muddy Waters and MedSec said in an emailed statement, "It is not unusual for a company like this (St. Jude's) to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients."
St Jude faces strong free-speech defenses to its defamation claim. Under Minnesota law, the company will most likely have to show not just that the defendants put out wrong information, but did so knowingly and maliciously, lawyers with expertise in such cases said.
Muddy Waters, which became known in 2012 for shorting Chinese companies that trade in North America, declined to comment on the size of its St. Jude short bet. MedSec has acknowledged that it will reap financial gains related to Muddy Waters' short investment.
MedSec Chief Executive Justine Bone told Reuters recently that her firm approached Muddy Waters with a proposal to short St. Jude about three months ago, after spending 18 months in "research mode" and not generating any revenue.
The St. Jude short will help MedSec finance development of technology it is building to secure medical devices, and will also enable the firm to educate the public about security flaws that put patients at risk, she said.
"We have expenses we incur. This is a business relationship," Bone said of the partnership with Muddy Waters. "But our goal here is to bring this to the attention of the public."
She did not respond to a request for comment on Wednesday.
Short-sellers borrow shares and sell them in expectation the price will fall. When it does, the short-sellers buy back the shares, return them to the lender, pay borrowing fees and pocket the difference.
St. Jude said it had filed the lawsuit to protect the reputation of its implantable devices, which it said have numerous features that protect against cyberattacks. It is seeking unspecified financial damages and for the defendants to give up any profits from their investment.
Wedbush Securities analyst Tao Levy said the business relationship between Muddy Waters and MedSec raises questions about the credibility of the allegations. Based on interviews with many doctors, he said it appears that medical professionals remain comfortable with using the devices.
The ethics debate notwithstanding, more such alliances could emerge if the MedSec-Muddy Waters arrangement proves to be lucrative, Robert Graham, chief executive of security firm Errata Security, said in a recent interview.
Another key factor could be the results of an investigation into the St. Jude's devices by the U.S. Food and Drug Administration, which oversees medical devices. The agency, which disclosed its investigation after Muddy Waters went public with the claims, said St. Jude patients for now should continue to use the devices as instructed by physicians.
Chris Wysopal, chief technology officer with security software maker Veracode Inc, said cyber-security researchers are always looking for ways to monetize their work, and teaming up with short sellers offers some advantages.
"If you just give it to the company for free, they fix it and people are happy. But you don't get any money for your work," Wysopal said.
The case is St. Jude Medical vs. Muddy Waters, MedSec Holdings et al, in the United States District Court for the District of Minnesota, No. 16-cv-03002.