The FDA issued an April 12 warning letter to Abbott Laboratories regarding known manufacturing and quality control issues that include a long-nagging cybersecurity one. The problems stem from a February inspection of a Sylmar, Calif., facility that was gained via the acquisition of St. Jude Medical, which closed in early January.

Abbott Park, Ill.-based Abbott shed more than $1 billion in market cap on the news, with Wall Street analysts worried less about the rectification of these ongoing issues – and more about the potential delays this news could portend for anticipated product approvals, which could hinge on manufacturing issues being ironed out.

ABBOTT ASSURANCES

The warning letter largely focuses on two previously known issues: premature lithium battery depletion in implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators and cybersecurity risks with its high voltage and peripheral devices.

Abbott quickly offered reassurances that it's working to address these issues – and to note that the inspection started on Feb. 7, only a brief amount of time after the St. Jude acquisition had closed on Jan. 4.

It responded to the FDA investigator observations on March 13, with the warning letter detailing the ways in which that response was inadequate. Much of the agency's remaining criticism stem from a lack of a systematic approach and the failure to provide evidence of its efforts.

The company said it is in the process of implementing the corrective actions it proposed in March.

"We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA's warning letter, and are committed to fully addressing FDA's concerns," Abbott said in a statement.

APPROVAL DELAYS

Wall Street analysts pointed out that these continuing issues could spell trouble for upcoming approvals tied to the facility. The warning letter itself says, "Premarket approval applications for class III devices to which the Quality System regulation deviations are reasonably related will not be approved until the violations have been corrected."

"The most significant concern here, in our view, is the degree to which these issues potentially slow down FDA approval of Abbott/St. Jude MRI-Safe ICD and CRT-D devices (expected by year-end 2017)," Rick Wise of Stifel said in a note. He expects that it will take several months for more clarity on this issue.

Larry Biegelsen of Wells Fargo underscored not only the PMA approval delay for these products, which he expects now in 2018, but also the potential liability and negative corporate publicity.

More optimistic is Cowen's Joshua Jennings, who argued these likely will be supplemental filings that are not subject to the same rules as full PMAs. He said there is precedent citing a similar situation at the same facility during which the FDA issued a supplemental approval in 2014. In that instance, the supplemental filing was submitted to the FDA during the week after the inspection that led to the warning letter was complete.

The lengthy letter relates to the Fortify, Unify, Assura (including Quadra) implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, and the Merlin@home monitor transmitter from the Sylmar facility.

In addition to noting a 2014 patient death that was tied to the battery problem, the letter cited seven devices that were implanted after a recall last October instead of being returned as required.

CYBERSECURITY, AGAIN

The warning letter also scolded Abbott for not sufficiently addressing cybersecurity issues with its high voltage and peripheral devices that were the subject of much back-and-forth between St. Jude and investment research firm Muddy Waters Research.

St. Jude had long protested that the accusations from Muddy Waters, originally based on information from cybersecurity firm Medsec, were unfounded. But this FDA warning letter makes clear that cybersecurity has been – and continues to be – a problem for these St. Jude, now Abbott, devices.

In October, St. Jude characterized the Muddy Waters public cybersecurity criticisms as "unverified" and unilaterally said that it "stands behind the security and safety of our devices."

St. Jude was dismissive of cybersecurity problems at the time, but those issues have now been raised as continuing by the FDA. At best, that points to transparency issues between the company and its customers that are on the path to be addressed, if belatedly. But, at worst, Abbott itself may have been unaware of the full extent of these issues during the St. Jude acquisition for $25 billion that was initiated in April 2016.

The warning letter gives Abbott only 15 business days to complete corrections and/or corrective actions to address its listed concerns, or to provide the FDA with a reason for the delay and a timeline for rectification. Abbott will certainly need to address its progress on its first quarter earnings call, which is coming up soon on April 19.