Date Issued: January 30, 2025 

The U.S. Food and Drug Administration (FDA) is raising awareness among health care providers, health care facilities, patients, and caregivers that cybersecurity vulnerabilities in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors (which are Contec CMS8000 patient monitors relabeled as MN-120) may put patients at risk after being connected to the internet.

Three cybersecurity vulnerabilities have been identified:

  • The patient monitor may be remotely controlled by an unauthorized user or not work as intended.
  • The software on the patient monitors includes a backdoor, which may mean that the device or the network to which the device has been connected may have been or could be compromised.
  • Once the patient monitor is connected to the internet, it begins gathering patient data, including personally identifiable information (PII) and protected health information (PHI), and exfiltrating (withdrawing) the data outside of the health care delivery environment.

These cybersecurity vulnerabilities can allow unauthorized actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device.

The FDA is not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time. 

Recommendations for Patients and Caregivers  

  • Talk to your health care provider about whether your device relies on remote monitoring features. Remote monitoring means the device uses an internet connection to allow a health care provider to evaluate patient vital signs from another location (such as a remote monitoring system or central monitoring system).
    • If your health care provider confirms that your device relies on remote monitoring features, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor. 
    • If your device does not rely on remote monitoring features, use only the local monitoring features of the patient monitor. This means unplugging the device’s ethernet cable and disabling wireless (that is, WiFi or cellular) capabilities, so that patient vital signs are only observed by a caregiver or health care provider in the physical presence of a patient. 
      • If you cannot disable the wireless capabilities, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor.   
  • Be aware the FDA is not aware of any cybersecurity inciden