Florida’s Republican Attorney General James Uthmeier has launched a formal legal investigation into Contec Medical Systems, a Chinese medical device manufacturer with a U.S. sales branch, after accusing the company of selling compromised patient monitoring devices with a potential backdoor that could allow unauthorized data transmission to China. The case involves the CMS800 model, which Uthmeier alleges contains a built-in ‘back than’ that could be exploited by bad actors to manipulate patient data without the patient or healthcare provider’s awareness.
Uthmeier also accused Contec of violating state consumer protection laws by marketing its devices as FDA-approved and compliant with international standards despite evidence that they may not have met these requirements. The Attorney General’s office issued subpoenas to Contec and its U.S. distributor, Epsimed, for documents and communications related to the alleged cybersecurity vulnerabilities and false advertising of the devices.
In a press release, Uthmeier highlighted that federal agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have raised concerns about the CMS800’s potential to automatically transmit patient information to an IP address linked to a Chinese university. He emphasized that the FBI has previously warned of cyber threats targeting U.S. healthcare systems, and the devices may pose an elevated risk of being exploited by foreign actors.
Epsimed, the Miami-based distributor, confirmed receipt of the subpoenas and stated that they were not selling the Contec monitors in the Uthmeier’s press release, but in Latin America. Its CEO, Jose Mena, claimed that the devices in their inventory are used as standalone units without internet connectivity, which he argued minimizes the threat posed by the alleged backdoor. He further stated that once they became aware of the vulnerability in January 2025, they immediately removed the product from their inventory.
Uthmeier’s legal action marks the first step in a broader effort that could lead to civil penalties, injunctive relief, or damages against the companies involved. The case gained attention following recent warnings from U.S. officials and experts about the growing influence of Chinese companies in critical infrastructure and their potential role in compromising national security.
The investigation comes amid broader geopolitical tensions, including a recent Israeli attack on Iran’s nuclear and military sites, which has prompted discussions about the risks posed by foreign entities gaining control over U.S. assets and infrastructure. Michael Lucci, CEO of the conservative group State Armor Action, warned that Chinese land and industrial asset ownership in the U.S. could pose a significant threat in the event of a global conflict.
As the probe unfolds, U.S. federal agencies, including CISA and the FDA, continue to assess the risks associated with the CMS800 and similar devices, while the legal and regulatory scrutiny of Chinese technology companies in the U.S. intensifies. The case underscores growing concerns over cybersecurity, data privacy, and national security in the context of increasing reliance on foreign-made medical technology.
Meanwhile, the case has reignited broader debates about the role of foreign technology in the U.S. healthcare sector and the need for stronger cybersecurity measures to protect sensitive patient data. Lawmakers and industry experts are now calling for increased oversight of medical devices manufactured abroad, especially those used in critical healthcare settings.
Despite the allegations, Contec has not publicly responded to the complaints, and legal proceedings are expected to continue as the state of Florida seeks to determine the extent of any wrongdoing and the potential consequences for the companies involved.
As the legal and regulatory landscape for foreign-owned technology in the U.S. continues to evolve, the case against Contec and Epsimed represents a significant moment in the ongoing debate over national security, data privacy, and the role of foreign entities in critical infrastructure sectors.