Rationale Underlying Missouri’s Runaway “Supplemental Jurisdiction” Theory to be Tested by U.S. Supreme CourtJanuary 30, 2017 | Angela Higgins
The U.S. Supreme Court has accepted certiorari in Bristol-Myers Squibb Co. v. Superior Court of California, Dkt. No. 16-466, a pharmaceutical product liability case in which some 600 out-of-state plaintiffs sued in a California court, arguing that the defendant had “contacts” with the state even though their individual claims did not arise out of those contacts. This case is straight from the same playbook that has led to dozens of out-of-state plaintiffs suing out-of-state defendants in the plaintiff-friendly jurisdiction of the City of St. Louis, though the state of Missouri has no legal or logical relationship to these plaintiffs’ claims. The rampant abuse of the judicial system has led to the Circuit Court of the City of St. Louis being deemed the latest “Judicial Hellhole,” and it appears that the U.S. Supreme Court is about to crack down.
A. The California case
In Bristol-Myers Squibb, the question accepted for determination by the Supreme Court is:
The Due Process Clause permits a state court to exercise specific jurisdiction over a defendant only when the plaintiff’s claims “arise out of or relate to” the defendant’s forum activities. Burger King Corp. v. Rudzewicz, 471 U.S. 462, 472 (1985) (citation omitted). The question presented is: Whether a plaintiff’s claims arise out of or relate to a defendant’s forum activities when there is no causal link between the defendant’s forum contacts and the plaintiff’s claims—that is, where the plaintiff’s claims would be exactly the same even if the defendant had no forum contacts.
Bristol-Myers Squibb follows a decision of the California Supreme Court affirming denial of the defendant’s motion to dismiss for lack of personal jurisdiction. The drug at issue was not manufactured or designed in California, whose marketing, packaging, and regulatory materials were not prepared in California, and, critically, that was not prescribed to, dispensed to, or ingested by respondents in California. The very concept of 600 unrelated plaintiffs with no contact to the forum state using that state as a friendly forum to maintain their claims against non-resident defendants is blatantly offensive to the concept of personal jurisdiction, and it is encouraging that the Supreme Court has granted certiorari to hear this appeal.
It is commonly accepted amongst practitioners that courts, particularly state courts, struggle with the limitations of personal jurisdiction. Personal jurisdiction can be general or specific. See Daimler AG V. Bauman, 134 S. Ct. 746, 754 (2014). Specific jurisdiction, also known as “contact-based” jurisdiction, refers to personal jurisdiction which derives from a defendant’s actions in the forum state. See id. General jurisdiction refers to a court’s power over a defendant regardless of where those claims arose, based upon a defendant’s overwhelming contacts with the state. See id.
As Bristol-Myers Squibb argues in its petition for writ of certiorari, and amicus Product Liability Advisory Counsel notes in its brief in support of the cert petition, many state courts have “blended” the doctrines of general jurisdiction and contact-based specific jurisdiction to arrive at a hybrid non-standard that effectively subjects any defendant with any type of national commercial presence to jurisdiction anywhere its products are sold. The frequently-expressed test established by the U.S. Supreme Court, and, indeed, the very nature of “contact-based specific personal jurisdiction” is not complex; it is merely flouted because it is in tension with state courts’ desire to afford a forum for cases that they are not constitutionally authorized to hear.
B. Missouri long-arm jurisdiction
The exercise of personal jurisdiction over non-residents is called “long-arm” jurisdiction. The Missouri courts’ authority to exercise long-arm jurisdiction is constrained by the Missouri statutes and the U.S. Constitution. Missouri’s long-arm statute expressly affords contact-based specific jurisdiction over the person of non-resident defendants. See Shouse v. RFB Const. Co., Inc., 10 S.W.3d 189, 193 (Mo. App. W.D. 1999). Specific jurisdiction is called “contact-based” because such jurisdiction only exists for a cause of action “arising from” certain specified conduct by the defendant within the forum state. See Mo. Rev. Stat. § 506.500.1.
In product liability actions brought in the Missouri courts, plaintiffs commonly rely upon two statutory provisions for long-arm jurisdiction. One is the commission of a tort in Missouri. See Mo. Rev. Stat. § 506.500.1(3). The other is the transaction of business in Missouri. See Mo. Rev. Stat. § 506.500.1(1). Properly applying the jurisdictional test, it is the plaintiff’s burden to establish personal jurisdiction. Conway v. Royalite Plastics, Ltd., 12 S.W.3d 314, 318 (Mo. banc 2000).
In order to rely upon the “tortious act” provision of the long-arm statute, a plaintiff is required to show that the non-resident defendant committed a tort in Missouri and that the tortious conduct caused the plaintiff’s injuries. Hollinger v. Sifers, 122 S.W.3d 112, 116 (Mo. App. W.D. 2003). In applying the long-arm statute, the Missouri courts in the past have correctly rejected the contention that non-resident defendants should be subject to personal jurisdiction because a plaintiff suffered some “effect” or injuries in Missouri. See Mello v. Giliberto, 73 S.W.3d 669, 678 (Mo. App. E.D. 2002). Instead, the statute is limited to authorizing jurisdiction over non-resident defendants who “committed a tortious act” within the state, and where the plaintiff’s cause of action “cause of action aris[es] from the doing of any of such acts.” See Mo. Rev. Stat. § 506.500.1. When the defendant is not a resident of the state, it is difficult to imagine how it engaged in tortious conduct directed toward a plaintiff who is also located outside the forum state. Accordingly, if this test were properly applied, it should be difficult for non-resident plaintiffs to establish contact-based specific personal jurisdiction over a defendant based upon the “tortious act” provision of the long-arm statute.
The long-arm statute’s grant of personal jurisdiction based upon the “transaction of any business within the state” is intended to confer jurisdiction over nonresidents “who enter into various kinds of transactions with residents of Missouri.” Capitol Indemn. Corp. v. Citizens National Bank of Fort Scott, N.A., 8 S.W.3d 893, 904 (Mo. App. W.D. 2000) (emphasis added). The subject matter of that particular transaction must be the one that allegedly caused the plaintiff’s alleged injuries. See id.; Mo. Rev. Stat. § 506.500.1(1). The circumstances in which a non-resident plaintiff could successfully argue for personal injury in a product liability case based upon the “business transaction” provision of the long-arm statute should be exceptionally limited.
C. Constitutional due process limitations
The Bristol-Myers Squibb outcome will be significant in Missouri because the Missouri courts’ exercise of personal jurisdiction is not only based upon the provisions of our statute, but is also limited by due process requirements found in the U.S. Constitution. For a court to exercise personal jurisdiction over non-resident defendants, the plaintiff’s claims must arise out of one or more of the types of conduct identified in Missouri’s long-arm statute, and the non-resident defendant must have had sufficient “minimum contacts” with the forum state for the exercise of personal jurisdiction to comport with the defendant’s constitutional due process rights. See Conway v. Royalite Plastics, Ltd., 12 S.W.3d 314, 318 (Mo. banc 2000).
The long-arm statute “extend[s] jurisdiction of the courts of this state over nonresident defendants to the extent permissible under the due process clause of the fourteenth amendment of the constitution of the United States.” Hollinger v. Sifers, 122 S.W.3d 112, 115 (Mo. App. W.D. 2003) (citing State ex rel. K-Mart Corp. v. Holliger, 986 S.W.2d 165, 167-68 (Mo. banc 1999)). The minimum contacts test is satisfied for due process purposes when a non-resident defendant “purposefully directed” its activities at residents of the forum state, and the litigation results from alleged injuries that “arise out of or relate to” those activities. Burger King Corp. v. Rudzewicz, 471 U.S. 462, 472 (1985) (emphasis added); Daimler AG v. Bauman, 134 S. Ct. 746, 754 (2014).
The Missouri courts have held that the commission of an extraterritorial tortious act that produces consequences in Missouri may provide a basis for the exercise of personal jurisdiction, but only where the non-resident defendant “set in motion some course of action which was deliberately designed to move into Missouri and injure the plaintiff.” Capitol Indemn. Corp. v. Citizens National Bank of Fort Scott, N.A., 8 S.W.3d 893, 903 (Mo. App. W.D. 2000) (emphasis added). The “‘purposeful availment’ requirement ensures that a defendant will not be hauled into a jurisdiction solely as a result of ‘random,’ ‘fortuitous,’ or ‘attenuated’ contacts or of the ‘unilateral activity of another party or third person.’” State ex rel. William Ranni Associates, Inc. v. Hartenbach, 742 S.W.2d 134, 138 (Mo. 1987).
Because the second half of the test that any plaintiff must satisfy to establish long-arm jurisdiction in Missouri deals with the constitutional due process limitations established by the U.S. Supreme Court and relevant federal authorities, developments in Bristol-Myers Squibb should reign in the abuses that are seen in the Missouri courts, and particularly the City of St. Louis.
Now, the U.S. Supreme Court has been very clear that contact-based specific personal jurisdiction requires that the particular plaintiff’s claim arise out of the defendant’s contacts with the forum state, and that the concept of “general jurisdiction” is functionally dead for use in these types of personal injury cases. Absent an “exceptional” case, a corporation is only subject to general jurisdiction where it is “at home,” i.e., where it “is incorporated or has its principal place of business.” Daimler, 134 S. Ct. at 760 & 761 n.19. As with Bristol-Myers Squibb, Daimler arose from an overreach on jurisdiction by the California courts. In Daimler, the Supreme Court held that the California court lacked general jurisdiction over the defendants because “neither Daimler nor MBUSA is incorporated in California, nor does either entity have its principal place of business there.” Id. at 761. The fact that the defendant’s wholly-owned subsidiary did significant and continuous business within the state did not support the exercise of general jurisdiction. See id. at 752, 761. “Plaintiffs would have us . . . approve the exercise of general jurisdiction in every State in which a corporation ‘engages in a substantial, continuous, and systematic course of business.’ . . . That formulation, we hold, is unacceptably grasping.” Id. at 760-61.
Given that general jurisdiction is not a viable argument for jurisdiction over non-resident defendants, plaintiffs must establish contact-based specific personal jurisdiction. “[T]he defendant’s suit-related conduct must create a substantial connection with the forum.” Walden v. Fiore, 134 S. Ct. 1115, 1121-22 (2014). The Missouri Supreme Court has previously recognized this, holding that the cause of action must arise out of the particular contact with Missouri. Conway, 12 S.W.3d at 318.
Despite clear and binding guidance, however, California, Missouri, and a minority of other jurisdictions have allowed non-residents to take advantage of their states as a forum to litigate disputes that are wholly unrelated to any of the defendants’ conduct within the state. Bristol-Myers Squibb argues, correctly, that a Tennessee plaintiff should not be able to sue a Delaware/New York citizen defendant in California. As the Supreme Court has consistently and repeatedly recognized, there are limitations on a state’s ability to encroach upon jurisdiction that is rightfully placed in another state.
Those states, including Missouri, that fail to strictly apply personal jurisdiction limitations are engaged in an unconstitutional power-grab from their sister states. The restrictions on the courts’ exercise of personal jurisdiction “are more than a guarantee of immunity from inconvenient or distant litigation.” Hanson v. Denckla, 357 U.S. 235, 251 (1958). Rather, “[t]hey are a consequence of territorial limitations on the power of the respective States.” Id.; see also World-Wide Volkswagen, 444 U.S. at 292 (minimum contacts requirement serves the dual functions of protecting defendant against the burden of litigation and ensuring states “do not reach out beyond the limits imposed on them by their status as coequal sovereigns in our federal system”). “Due process limits on the State’s adjudicative authority principally protect the liberty interest of the nonresident defendant – not the convenience of plaintiffs or third parties.” Walden v. Fiore, 134 S. Ct. 1115, 1125 n.9 (2014). “Due process protects [a defendant’s] right to be subject only to lawful authority.” J. McIntyre Machinery Ltd. v. Nicastro, 564 U.S. 873, 887 (2011). The crux of the personal jurisdiction inquiry is whether the defendant “reveal[ed] an intent to invoke or benefit from the protection of” the laws of the forum state. Id. Absent plaintiff’s proof of such intent, the forum state is “without power to adjudge the rights and liabilities” of the foreign defendant. Id.
Missouri courts simply lack the power to hear cases by non-resident plaintiffs against non-resident defendants, and the continued flouting of jurisdictional limitations has created a constitutional crisis in this country and within the state.
D. Each plaintiff must establish personal jurisdiction
Missouri state courts generally fail to appreciate what the federal courts recognize – that each plaintiff in a multi-plaintiff action must independently establish personal jurisdiction over the defendant with respect to his/her claims. See, e.g., Sun World Lines, Ltd. v. March Shipping Corp., 585 F. Supp. 580, 584-85 (E.D. Mo. 1984) (“[P]ersonal jurisdiction must be valid as to each and every cause of action in a complaint. Those causes of action which do not provide a sufficient basis for in personam jurisdiction must be dismissed even if other claims have such a basis.”) (citations omitted), aff’d, 801 F.2d 1066 (8th Cir. 1986); see also Seiferth v. Helicopteros Atuneros, Inc., 472 F.3d 266, 274-75 (5th Cir. 2006) (“Permitting the legitimate exercise of specific jurisdiction over one claim to justify the exercise of specific jurisdiction over a different claim that does not arise out of or relate to the defendant’s forum contacts  violate[s] the Due Process Clause.”).
An MDL court, applying Missouri and federal law, found that “the specific jurisdiction inquiry in this case must be conducted separately for the claims of each individual plaintiff.” In re Testosterone Replacement Therapy Prods. Liab. Litig. (“In re: TRT”), 164 F. Supp. 3d 1040, 1047 (N.D. Ill. 2016)) Thus, “every plaintiff . . . [must] show that his claims arise from, or are related to, defendants’ conduct in Missouri.” Id.
The Missouri state courts, however, have tended toward truly absurd results and unheard-of verdicts in product liability actions maintained by improperly joined out-of-state plaintiffs. The Court of Appeals for the Eastern District recently affirmed a $38 million verdict in favor of a Minnesota plaintiff who sued a Delaware/Illinois citizen defendant. See Slip Opinion, Barron v. Abbott Laboratories, Inc., Case No. ED103508. This is merely the “bellwether” – there are dozens of plaintiffs’ claims still to be tried in that action, which joined unrelated plaintiffs from around the country. Huge verdicts in improperly-joined out-of-state plaintiff actions involving talcum powder have also recently emerged from the City of St. Louis, and are merely the tip of the iceberg if overreach on personal jurisdiction is not reigned in.
Both the Circuit Court for the City of St. Louis and the Court of Appeals for the Eastern District completely glossed over the fundamental jurisdictional problem with the Barron case, and the dozens of others that have followed as out-of-state plaintiffs rush to get a seat at the trough. Each and every one of the Barron plaintiffs was required, by the Missouri long-arm statute and by the U.S. Constitution, to establish personal jurisdiction over the defendant, but neither the trial court nor the Court of Appeals required them to do so. Instead, both courts found that the state’s permissive joinder rules permitted joinder of the unrelated plaintiffs, and simply refused to perform a jurisdictional analysis.
As to joinder, the cases on which the decisions at both levels rely have been misrepresented, and the courts ignored clear and binding authority that prohibits joinder of unrelated product liability plaintiffs. Rule 52.05 identifies the only circumstances under which parties may be properly joined in a single action:
All persons may join in one action as plaintiffs if they assert any right to relief jointly, severally, or in the alternative in respect of or arising out of the same transaction, occurrence or series of transactions or occurrences and if any question of law or fact common to all of them will arise in the action.
Mo. R. Civ. P. 52.05(a) (emphasis added). Both tests must be met for plaintiffs to be joined in a single action. Id.; State ex rel. Allen v. Barker, 581 S.W.2d 818, 826 (Mo. banc 1979). Misjoinder of claims or parties requires severance of the claims. See State ex rel. Gulf Oil Corp. v. Weinstein, 379 S.W.2d 172, 174 (Mo. App. St. L. 1964). In Gulf Oil, plaintiffs had purchased fuel oil in unrelated transactions at different times. Id. at 174. These transactions did not constitute the “same transaction nor a series of transactions.” Id. at 175. Even though the plaintiffs all sustained fires, these occurred on different dates. Id. Accordingly, the plaintiffs’ losses did not constitute the same “occurrence.” Id.
The Barron court did a 180 from its prior analysis in Gulf Oil, rejecting the defendant’s argument that “the Court should look solely from the perspective of the particular circumstances of each plaintiff’s mother’s use of Depakote as constituting the relevant ‘transactions’ and not from the perspective of Appellant’s nationwide promulgation and marketing of Depakote.’” Slip Op. at 7. Of course, the “same transaction” test in a product liability action is a plaintiff-based test, as the court had previously found in Gulf Oil and as regularly found under the federal rules. In State ex rel. Allen v. Barker, 581 S.W.2d 818, 826 (Mo.1979) the Missouri Supreme Court discussed the adoption of Rule 52.05(a), recognized that it was patterned after Fed. R. Civ. P. 20, and applied federal cases to interpret it. Id. There is abundant federal authority disapproving the joinder of unrelated plaintiffs in pharmaceutical and medical device actions, which cuts against the dubious rationale of Barron.
Commentators have lamented Barron and remarked upon the liberal joinder rule in Missouri, but the statute is derived from and intended to be applied in the same manner as the corresponding federal rule. The fault is not in the text of the rule, it is in its mistaken application, and the failure of the Missouri courts to conduct any meaningful jurisdictional analysis. Barron has been accepted by the Missouri Supreme Court for further review, and the judgment may not stand, but the myriad of errors in the underlying case makes it doubtful that a clear ruling on personal jurisdiction will emerge from that appeal.
The argument that numerous unrelated out-of-state plaintiffs may be joined under Missouri’s Rule 52.05 with one plaintiff who properly asserts contact-based specific personal jurisdiction is a type of “pendent” or “supplemental” theory of specific personal jurisdiction. Liggins v. Abbvie Inc. (In re Testosterone Replacement Therapy Prods. Liab. Litig.), 164 F. Supp. 3d 1040, 1048 (N.D. Ill. 2016). However, “[t]here is no such thing as supplemental specific personal jurisdiction; if separate claims are pled, specific personal jurisdiction must independently exist for each claim and the existence of personal jurisdiction for one claim will not provide the basis for another claim.” Seiferth v. Helicopteros Atuneros, Inc., 472 F.3d 266, 275 n.6 (5th Cir. 2006) (emphasis added).
It is hoped that the resolution of Bristol-Myers Squibb will put to rest the runaway “supplemental personal jurisdiction” argument that has been adopted in Missouri. With Republican domination of the state legislature and governor’s office, tort reform to address the litigation abuses that have garnered national attention is imminent, and may also provide corrective measures on this issue.
The Inherent Risks, Impacts of Security Decisions, and Practical Approaches – Best Practices to Prepare, Mitigate, and Otherwise Manage Vulnerabilities and Potential Cybersecurity Attacks
Continuing from our two prior posts in this three-part series on effectively addressing cybersecurity breaches in medical devices, this third and final post will focus on best practices to prepare, mitigate and otherwise manage vulnerabilities and potential cyber-attacks.
Best practices to prepare, mitigate, and otherwise manage vulnerabilities and potential cybersecurity attacks
The FDA has issued both pre-market considerations[i], which consists of proactively addressing vulnerabilities, and post-market considerations[ii], which consists of mitigation, remediation, and other risk management strategies, to aid in addressing today’s issues of medical device vulnerabilities and potential cybersecurity attacks on those devices. For more details on the FDA’s post-market guidance, see our prior series "FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices" posted in four parts here, here, here, and here.
The pre-market considerations include, (1) identifying assets, threats, and vulnerabilities; (2) assessing the impact of threats and vulnerabilities on device functionality and end users/patients; (3) assessing the likelihood of a threat and of a vulnerability being exploited; (4) determining risk levels and suitable mitigation strategies; and (5) assessing the residual risk and risk acceptance criteria.[iii] The manufacturer’s pre-market submission effectively includes the pre-market considerations that have been brainstormed thus far, such as all hazard analysis, mitigation and design considerations associated with the potential cybersecurity risks of a specific medical device, summary of plan for cybersecurity updates and patches, a matrix and summary showing and discussing cybersecurity controls and the risks they face, and device instructions for the specific product as to recommendations on how to properly use and secure the device.[iv]
Even after rigorous testing and risk assessment in the pre-market consideration and submission phase, given the rapid pace of technology today, medical device manufactures and companies should never stop evaluating the potential vulnerability of their devices or considering how to mitigate and remediate the same.[v] Mitigation is a risk management strategy used to minimize the impact of a cybersecurity attack on medical devices and the systems to which they are connected or networked, which takes into consideration the risk is the outcome of an attack and the aspect of security it affects.[vi] Remediation consists of an action or actions that are taken to reduce the risk to the medical device’s essential clinical performance to an acceptable level, including, but not limited to finding an official fix or solution to remove a cybersecurity vulnerability, using a compensating control, such as notifying the consumer base about a temporary fix or other work-around solution), to adequately mitigate the risk.[vii] One remediation strategy is to engage in cybersecurity “routine updates and patches,” which involves updates or enhancements or patches to a medical device. These updates and patches provide an increase in the medical device’s security and help to remediate the device’s vulnerabilities linked to the device’s controlled risk, while also not reducing the risk to a patient’s health. Such updates and/or patches included, but are not limited to, software, firmware, and hardware updates.
Other post-market considerations issued by the FDA include as follows: (1) monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk, which may require auditing of the network and immediately reporting any security breach,[viii] (2) understanding, assessing and detecting presence and impact of a vulnerability; (3) establishing and communicating processes for vulnerability intake and handling; (3) clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk; (4) adopting a coordinated vulnerability disclosure policy and practice; and (5) employing mitigations that address cybersecurity risk early and prior to exploitation.
Other all-around best practices[ix] discussed by the FDA have been to:
1. Limit access to only trusted users through the use of such things as passwords, usernames, smartcards, biometrics, automatic timers, and physical locks;[x]
2. Ensure that only trusted content is within the device and/or system by such means as restricting updates to the same or using encryption;[xi]
3. “Detect, respond, and uncover,” which can be accomplished by using procedures and features that alert security compromises, educate the end user(s) on detections of security breaches, and provide methods for retention and recovery of devices;[xii]
a. These elements are consistent with the National Institute of Standards and Technology Framework for Improving Cybersecurity Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond and Recover);[xiii]
4. Create a structured and systematic approach to risk management and quality management systems consistent with 21 CFR part 820, which would include methods to identify, characterize, and assess a cybersecurity vulnerability and methods to analyze, detect, and assess threat sources;[xiv]
5. Be proactive! Practice good cyber hygiene and reduce cybersecurity risks even when residual risk is acceptable;
6. Remediate by finding an official and/or temporary fix to cybersecurity vulnerabilities to reduce the risk of compromise to essential clinical performance to an acceptable level;
7. Keep in contact and maintain a solid, formal business relationship with any software vendors to ensure they are providing you timely information about any quality and/or security problems that you can correct and/or prevent; and[xv]
8. Incorporate elements consistent with the National Institute of Standards and Technology Framework for Improving Cybersecurity Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond and Recover).
The threat that a pacemaker will be hacked by foreign terrorists may be low, but the risk of devastating and life-threatening cybersecurity attacks in medical devices and healthcare is significant. To ensure the future protection of medical devices in a networked world, device manufacturers, regulatory bodies, healthcare providers and patients must engage in a coordinated proactive approach that includes standard cybersecurity assessment and control, together with specific medical device data and workflow considerations.
[i] U.S. Food and Drug Administration, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff, October 2, 2014.
[ii] U.S. Food and Drug Administration, Postmarket Management of Cybersecurity in Medical Devices, Draft Guidance for Industry and Food and Drug Administration Staff, January 22, 2016.
[iii] Supra, note 1.
[v] Patricia AH Williams, Andrew J Woodward, Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem, Med Devices (Auckl). 2015; 8: 305–316.
[vii] Supra, note 2.
[viii] Williams, Woodward, supra note 5.
[x] Supra note 1.
[xiv] Supra note 2.
[xv] U.S. Food and Drug Administration, Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software, May 28, 2015.
The Inherent Risks, Impacts of Security Decisions, and Practical Approaches – Cybersecurity and Attacks on Medical Devices
Continuing from our prior post in this three-part series on effectively addressing cybersecurity breaches in medical devices, this second post will focus on specific examples of cybersecurity attacks on medical devices.
Cybersecurity and attacks on medical devices
If you have turned on the television, read the news, or listened to the radio recently, you have heard that cybersecurity threats are something we all have to be concerned about. We hear about data breaches affecting the disclosure of personal financial information or breaches into the nation’s military weapons system. But in the context of medical devices, cybersecurity is the process of preventing a breach or unauthorized user from gaining access, modifying, misusing, or denying use to information that is stored, accessed, or transferred from a medical device to an external recipient.[i]
Unlike breaches into military systems, where we trust the government is initiating measures to safeguard the general public from threats and direct attacks, the threat to cybersecurity attacks in healthcare is very real, wide-spread, and right in our backyards. There have been numerous real and fictional examples of medical devices falling victim to a cybersecurity attack. A recent study revealed that ninety-four (94) percent of healthcare institutions reported being victims of cyber-attacks.[ii]
Below are some real-life examples of actual medical devices falling victim to a cybersecurity attack:
- August 12, 2011: Hacking into an insulin pump. While the hacking was done as a presentation at a security conference, the presenter showed how to hack into his own insulin pump, albeit it required security expert knowledge and fairly close proximity to the pump. However, the presentation, even back in 2011, brought back to the limelight whether manufacturers of medical devices were taking the necessary security measures to protect its consumers/patients and the devices from an attack.[iii]
- April 25, 2014: Article explores and/or exposes the vulnerabilities of hospital equipment and their high susceptibility to being hacked, including, but not limited to insulin pumps, defibrillators, and hardcoded passwords in medical devices, used at a large chain of Midwest health care facilities.[iv]
- February 2015: Anthem, Inc. attacked by hackers who obtained data that may have exposed 80 million customers’ personal information. A lawsuit is pending in the Northern District of California, the consolidated complaint alleging that the hackers stole income tax refunds and placed false charges on their credit cards.[v]
- June 1, 2015: Court dismisses claim arising out of a data security breach by Amazon.com (Zappos.com), because the victims lacked standing to sue when they could not identify any specific harm that they had sustained as a result of the a data breach that occurred 3.5 years prior.[vi]
- July 31, 2015: FDA issues alert for healthcare facilities to discontinue the use of Hospira Symbiq Infusion System due to cybersecurity vulnerabilities. In other words, as the FDA’s statement set forth, the Hospira system could be accessed remotely through a hospital’s network, giving an unauthorized user access and control to the device and change the dosage of general infusion therapy the pump delivers.[vii]
- June 2016: Hacker gains access to 397,000 patient records from the internal network of a large database in Georgia, 210,000 patient records from a database somewhere in the Midwest (retrieved from a ‘severely misconfigured network’), and 48,000 records located in Farmington, Missouri.”[viii] The hacker then put the information up for sale at around $485K. This is just one of many recent “ransomware” stories, which is a category of malicious software (“malware”) that encrypts a user’s disk drives and demands some form of compensation in return for critical data held hostage, which have occurred recently.[ix]
For best practices on how to prepare, mitigate, and otherwise manage vulnerabilities and potential cybersecurity attacks, stay tuned for part three of this series coming soon. Read part one of this series on navigating the medical device field and vulnerabilities of medical devices here.
[i] U.S. Food and Drug Administration, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff, October 2, 2014.
[ii] Barbara Filkins, Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare On Horizon, SANS Institute, February 2014.
[iii] Morgan E. Peck, Medical Devices Are Vulnerable to Hacks, But Risk Is Low Overall, August 12, 2011.
[v] Carolyn Purwin Ryan, Cyber Security Vulnerabilities: Is Your Medical Device At Risk?, January 2016.
[viii] Chris Nerney, Hacker puts 10 million stolen health records up for sale, June 30, 2016.
[ix] Health Held Hostage: Ransomware in the Health Care Industry, May 26, 2016.
About Drug / Device Law Blog
The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.
Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.