Sen. Tom Cotton says it is important to protect Americans’ privacy and their health information.
Sen. Tom Cotton (R-Ark.) is seeking federal investigations into internet-connected medical devices manufactured in China, warning that compromised equipment could expose Americans to cybersecurity threats from malign foreign actors.
Cotton, chairman of the Senate Select Committee on Intelligence, sent a letter dated May 26 to Kyle Diamantas, acting commissioner of the U.S. Food and Drug Administration (FDA), and Nick Andersen, acting director of the Cybersecurity and Infrastructure Security Agency (CISA).
“American patients’ exposure to compromised Chinese-made medical devices poses a risk to both national security and public health,” Cotton wrote.
Foreign actors that extract data from these compromised devices can lead to “widespread identity theft, insurance fraud, extortion, and more sophisticated scams against American patients,” according to Cotton.
The senator noted that in 2025, the FDA and CISA identified cybersecurity vulnerabilities associated with CMS8000, a model of patient monitors manufactured by China-based Contec Medical Systems. The monitors could gather patient data, including personally identifiable information, and could be remotely controlled by unauthorized users.
“This gave malign Chinese actors an opportunity to directly manipulate how the device operates and displays data, potentially leading to dangerous misdiagnoses of heart failure, arrhythmias, and hypertension,” Cotton wrote.
The FDA issued a Class II recall of the CMS8000 monitors in May 2025.
Since March 2023, the FDA has required new medical devices seeking clearance to meet stricter cybersecurity standards, but older devices approved before the rules took effect are not subject to the same level of cybersecurity scrutiny.
As a result, Cotton said that “more must be done to protect Americans from compromised medical devices.”
The senator asked the FDA and CISA to review Chinese-made medical devices cleared prior to March 29, 2023.
“Protecting Americans’ privacy and ensuring their health data isn’t accessible to cybercriminals in adversarial nations is of utmost importance,” Cotton stated.
Florida Attorney General James Uthmeier has taken legal action to address concerns regarding Contec’s monitors. In June 2025, he subpoenaed Contec Medical Systems and Miami-based company Epsimed, which had been selling Contec-made monitors under its own brand name, over potential cybersecurity risks and alleged violations of Florida’s Deceptive and Unfair Trade Practices Act.
By Frank Fang
