Florida Attorney General James Uthmeier has subpoenaed two medical companies selling Chinese-made patient monitors over concerns that the devices could send patient data to China.
The office alleged that Contec “concealed serious security problems” in its products, including a built-in “backdoor” that could “allow bad actors to manipulate data” on the devices without knowledge of either the patient or the provider, and programming that automatically sends patient information to an IP address that belongs to a university in China.
Some of the “most private, personal information” is going to China “without the consent, and in most cases, the awareness, of the patient,” Uthmeier told The Epoch Times.
“I think there’s a major consumer protection issue for Floridians, for Americans as a whole, and we’re not going to stand for it,” he said.
Uthmeier’s office alleged that Contec and Epsimed may have violated a state law, the Deceptive and Unfair Trade Practices Act, in the assurances they made on product quality when the products appear to fall far short of standards given their security vulnerabilities. He threatened to pursue damages, civil penalties, and injunctive relief to protect consumers.
CISA, FDA Warn on Monitor Breach
Earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) issued warnings about a security loophole in a model of Contec’s patient monitors, the CMS8000, which Espimed was also selling under the name MN-120.The FDA warning stated that once connected to the internet, the patient monitor begins to gather patient data, including personally identifiable information and protected health data, and sends that information “outside of the health care delivery environment.”
Analysis from CISA on three versions of Contec CMS800 monitors found a vulnerability connecting the device to a hard-coded IP address from a “third-party university,” which allows the device to “download and execute unverified remote files.” The backdoor function could also overwrite files on the medical device, and hospitals won’t know what software is running on the gear, CISA said.
Uthmeier said the issue presents a “major national security concern.”
“We see fentanyl coming in over the southern border,“ he said. ”We see farmland being purchased, land near our military institutions across the country. This presents one additional thing that I believe we’re at risk of—China harming our country by having access to very private personal information about our citizens. That information could be used in many ways to hurt our country and its citizens.”
“This is the tip of the iceberg,” he added, noting that they would investigate any other company engaging in similar practices.
Michael Lucci, CEO of State Armor, a U.S.-based nonprofit that focuses on helping state governments counter global security threats, said in a statement that he hopes states nationwide take similar steps.
He described the case as “China’s penetration of ... critical infrastructure with products that fail the most basic security standards.”
“If companies like Contec and Epsimed are found to be selling medical equipment with undisclosed backdoors that send sensitive patient information to the CCP, they must be dealt with by the full force of the law,“ Lucci said. ”It’s bad enough when a Chinese company creates security risks for Americans. No American company should help them do it.”
Epsimed confirmed that it has received the attorney general’s request and is cooperating.
“On January 2025, when we learned about the security issue with MN-120, we immediately removed it from our product offering while under investigation,” the company’s CEO, Jose Mena, told The Epoch Times.
Contec didn’t respond to a request from The Epoch Times for comment by publication time.
