Texas Governor Greg Abbott (R) directed state health agencies and public university health systems Monday to immediately address cybersecurity vulnerabilities in Chinese-manufactured patient monitors, citing credible evidence that the devices contain backdoors that could let Beijing access sensitive medical data on Americans.
The governor’s office identified two specific devices: the Contec CMS8000 and the Epsimed MN-120 patient monitors, both made by a Chinese firm and used widely in U.S. hospitals. Both have been installed across Texas health facilities. According to Abbott’s office, the Chinese devices run the risk of allowing “unauthorized actors to access protected health information remotely.”
“Maintaining Texans’ physical security and protecting their personal privacy, especially personal medical data, is of paramount importance,” Abbott said in a statement. “I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data and our critical medical infrastructure.”
The directive follows a federal advisory issued by the FDA and the Cybersecurity and Infrastructure Security Agency in early 2025. CISA found that firmware in the Contec CMS8000 contains a backdoor that silently connects to a Chinese IP address, transmitting patient data without any notification to the hospital or the patient. The FDA confirmed that the vulnerabilities could allow an outside actor to exploit multiple devices on the same hospital network at the same time.
No software patch has been developed to fix the problem. CISA’s official recommendation: remove the devices from the network entirely.
“These FDA and CISA notices underscore the need for state agencies and state-owned medical facilities to ensure they are continually operating safe and secure environments as even FDA regulated devices can introduce operational and cybersecurity risks if they are not carefully assessed and monitored,” Abbott’s directive states.
The FDA safety communication advised healthcare providers to check their Contec and Epsimed monitors for unusual functioning, including cases where the displayed vitals do not match the patient’s actual condition, a possible sign of tampering. Hospitals were told not to connect the devices to the internet and to isolate them from broader hospital networks while the companies work toward a fix.
Contec is headquartered in Qinhuangdao, China. The firm has disputed characterizations of the vulnerability as an intentional backdoor, but security researchers and federal agencies have said the behavior of the device’s firmware is consistent with deliberately built-in remote access capability.
The action is Abbott’s second major move on Chinese technology infiltration in 2026. In January, Abbott updated Texas’s Prohibited Technologies list to include additional hardware, software, and AI platforms tied to China and the Chinese Communist Party.
Abbott previously expanded the list of technologies that are banned from state-owned devices.
