Johnson & Johnson is telling patients that it has learned of a cyber security bug in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin, although it describes the hacking risk as low. Medical device experts said they believe it was the first time a manufacturer had issued such a warning to patients about a cyber vulnerability, a hot topic in the industry following revelations last month about possible vulnerabilities in pacemakers and defibrillators. The OneTouch Ping Insulin Pump and Meter Animas Corp. J&J executives told Reuters they knew of no examples of attempted attacks on the device, the J&J Animas OneTouch Ping insulin pump. The company is nonetheless warning customers and providing advice on how to fix the problem. "The probability of unauthorized access to the OneTouch Ping system is extremely low," the company said in letters mailed out on Monday to doctors and about 114,000 patients in the United States and Canada who use the device. A copy of the text of the letter was made available to Reuters. (A Johnson & Johnson spokesman told NBC News that the device is 12 years old and that newer devices are encrypted with more security. He said a hacker would have to be within 25 feet of the device to affect the signal.) The warning is being delivered a month after a prominent short seller and cyber security research firm went public with allegations of potentially life-threatening cyber vulnerabilities in heart devices from St. Jude Medical Inc . St. Jude said the allegations were false as its shares tumbled and the U.S. Food and Drug Administration began an investigation. The FDA is preparing to release formal guidance on how medical device makers should handle reports about cyber vulnerabilities. J&J said it reviewed the matter with the FDA before sending the letter. An early draft of that guidance, which was released in January for public comments, calls for device makers to work with security researchers, identify steps to mitigate risks, and provide patients with information about bugs so they can "make informed decisions" about device use. The FDA declined comment on J&J's handling of the vulnerability in