Back

Senator Calls for Review of Cybersecurity Risks in Chinese-Made Medical Devices

Severity: High (Score: 75.5)

Sources: Mddionline, Cotton.Senate

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: senator, review, medical, cotton, chinese, device, devices

Severity indicators: ot, medical

Summary

Senator Tom Cotton has requested the FDA to investigate cybersecurity vulnerabilities in Chinese-made medical devices, particularly the Contec CMS8000 patient monitor. This device has been linked to data theft and remote hijacking, exposing American patients to risks such as identity theft and fraud. The FDA and CISA had previously warned about these vulnerabilities in January 2025, leading to a Class II recall of the device in May 2025. Despite the recall, thousands of these monitors remain in use. Cotton's letter emphasizes the need for enhanced scrutiny of medical devices cleared before March 2023, as new cybersecurity requirements were only implemented then. This request follows a broader investigation initiated by Texas Governor Greg Abbott into foreign-manufactured medical devices, particularly focusing on cybersecurity risks. The ongoing investigation is part of a larger effort to protect public health and national security from potential threats posed by adversarial nations. Key Points: • Senator Tom Cotton urged the FDA to review cybersecurity vulnerabilities in Chinese medical devices. • The Contec CMS8000 patient monitor has been linked to data theft and unauthorized remote access. • A Class II recall was issued for the CMS8000 in May 2025, but thousands remain in use.

Detailed Analysis

**Impact** Approximately 7,000 Contec CMS8000 patient monitors manufactured in China were recalled due to cybersecurity vulnerabilities but remain in use, exposing thousands of American patients to risks. The healthcare sector is affected, with 22% of organizations experiencing cyberattacks on medical devices and a 30% increase in ransomware attacks in 2025. Patient data at risk includes personally identifiable health information, which could be exploited for identity theft, insurance fraud, extortion, and medical misdiagnoses. The issue primarily impacts U.S. healthcare facilities, including state-owned institutions in Texas. **Technical Details** The Contec CMS8000 device automatically exfiltrated patient health data when connected to the internet and allowed unverified remote users to control device functions without provider knowledge. This vulnerability enabled potential manipulation of device readings, risking dangerous misdiagnoses of cardiac conditions. The attack vector involves exploitation of networked medical devices with embedded backdoors or weak authentication controls. No specific CVEs, malware, or IOCs are provided in the articles. **Recommended Response** Urgently review and remove or isolate Chinese-made medical devices cleared before March 29, 2023, especially the Contec CMS8000 and Epsimed MN-120 models. Implement enhanced network segmentation and monitoring for unusual device communications or remote access attempts. Apply FDA-mandated cybersecurity safeguards to all new and existing devices where possible. Monitor for unauthorized remote control activity and exfiltration of patient data; no specific patches or IOCs were identified in the sources.

Source articles (2)

  • Cotton to FDA: Investigate Dangerous Chinese — Cotton.Senate · 2026-05-26
    Washington, D.C. — Senator Tom Cotton (R-Arkansas) today sent a letter to Acting U.S. Food and Drug Administration (FDA) Commissioner Kyle Diamantas requesting enhanced review of medical devices manuf…
  • Senator Demands Review of Chinese Medical Device Security — Mddionline · 2026-05-27
    Senator Tom Cotton urges FDA to review pre-2023 Chinese-made medical devices after cybersecurity vulnerabilities in recalled patient monitors exposed thousands to data theft and remote device hijackin…

Timeline

  • 2025-01-30 — FDA and CISA warn of vulnerabilities in Contec CMS8000: The agencies reported that the device could extract sensitive patient data when online, posing serious risks.
  • 2025-05-14 — FDA issues Class II recall of Contec CMS8000: The recall was prompted by identified cybersecurity vulnerabilities that could lead to data breaches.
  • 2026-03-09 — Texas Governor orders investigation into foreign medical devices: Governor Abbott initiated a review focusing on cybersecurity risks associated with devices made in China.
  • 2026-05-26 — Senator Cotton sends letter to FDA: Cotton requested an investigation into Chinese-made medical devices cleared before 2023 due to cybersecurity concerns.

Related entities

  • Data Breach (Attack Type)
  • Intuitive Surgical (Company)
  • Medtronic (Company)
  • Stryker (Company)
  • UFP Technologies (Company)
  • China (Country)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • medtronic.as (Domain)
  • Healthcare (Industry)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed