CyberSecurity news

FlagThis - #patientdata

@www.fda.gov - 31d

Patient Monitors Backdoor Leaks Data to China - A backdoor in Contec CMS8000 patient monitors allows remote code execution and data exfiltration to a hardcoded IP address in China, posing risks to patient safety and data privacy.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued warnings regarding a critical security flaw in Contec CMS8000 patient monitors. These monitors, manufactured by a Chinese company, contain a hidden backdoor that allows for unauthorized remote access. This backdoor enables the devices to connect to a hard-coded IP address located at a third-party university in China, potentially allowing the download and execution of unverified files. The vulnerability, tracked as CVE-2025-0626 and CVE-2025-0683, impacts all analyzed firmware versions of the device.

The discovered backdoor poses a significant risk to patient safety and data privacy. It allows malicious actors to modify device settings, execute arbitrary code, and alter displayed vital signs. Furthermore, patient data, including personal and health information, is being sent in plain text to the hardcoded IP address. This unauthorized exfiltration of sensitive information and the potential for device manipulation could lead to improper medical responses and endanger patient well-being. CISA has stated that the backdoor is unlikely to be a normal update mechanism, noting it lacks any integrity-checking or version tracking, making it difficult for hospitals to detect compromised devices.

Recommended read:
References :
  • BleepingComputer: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
  • : CISA : CISA has an 11 page warning that a patient monitor known as Contec CMS8000 has an embedded backdoor with a hardcoded IP address which enables patient data spillage, or remote code execution (CISA puts forth a scenario where the device is altered to display inaccurate patient vital signs, which poses a serious risk to patient's safety).
  • BleepingComputer: Backdoor found in two healthcare patient monitors, linked to IP in China
  • www.bleepingcomputer.com: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
  • www.helpnetsecurity.com: Patient monitors with backdoor are sending info to China, CISA warns
  • socradar.io: CISA Warns of Backdoor in Contec CMS8000 Patient Monitors
  • The Hacker News: CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors
  • cyberinsider.com: CISA issues a warning about a backdoor in Contec CMS8000 patient monitors, highlighting the risk of remote code execution and patient data exfiltration.
  • Help Net Security: Patient monitors with backdoor are sending info to China, CISA warns.
  • thecyberexpress.com: Critical Flaws in Contec CMS8000 Allow Remote Code Execution and Patient Data Theft
  • CyberInsider: Contec Monitors Used in U.S. Hospitals Carry Chinese Backdoor
  • securityaffairs.com: The U.S. CISA and the FDA warned of a hidden backdoor in Contec CMS8000 and Epsimed MN-120 patient monitors.
  • : Information about the backdoor found in Contec patient monitors.
  • securityonline.info: The Contec CMS8000 patient monitors are vulnerable to remote attacks.
  • ciso2ciso.com: Backdoor in Chinese-made healthcare monitoring device leaks patient data – Source: www.csoonline.com
  • securityboulevard.com: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
  • www.csoonline.com: Contec CMS8000 patient monitors are found to have a hidden backdoor that transmits patient data to a hardcoded IP address and executes files remotely.
  • Security Boulevard: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
  • therecord.media: CyberScoop article about the vulnerabilities in the monitors.
  • : Contec CMS8000 patient monitors contain a hidden backdoor – Source: securityaffairs.com
  • ciso2ciso.com: Contec CMS8000 patient monitors contain a hidden backdoor – Source: securityaffairs.com
  • securityboulevard.com: Healthcare Crisis Emerges: Cybersecurity Vulnerabilities in Patient Monitors Confirmed by FDA
  • Vulnerability-Lookup: A new bundle, CISA Releases Fact Sheet Detailing Embedded Backdoor Function of Contec CMS8000 Firmware, has been published on Vulnerability-Lookup:
  • securityonline.info: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding the Contec CMS8000 patient monitors.
  • securityonline.info: CISA Warns of Hidden Backdoor in Contec CMS8000 Patient Monitors
  • www.cysecurity.news: The U.S. Food and Drug Administration (FDA) has issued a safety communication highlighting cybersecurity vulnerabilities in certain patient monitors manufactured by Contec and relabeled by Epsimed.
  • ciso2ciso.com: This news alert brings light to a critical backdoor discovered in widely used healthcare patient monitors.
  • ciso2ciso.com: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
  • Security Boulevard: CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
  • securityboulevard.com: CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
  • claroty.com: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…
  • www.heise.de: Medical surveillance monitor: Backdoor discovered in Contec CMS8000 Attackers can attack medical hardware from Contec. This can result in malicious code getting onto devices. There has been no security update to date.
  • : Claroty : There was increased interest in healthcare industry's patient monitors after CISA warned on 31 January 2025 that . Claroty's Team82 actually previously investigated the firmware and reached the conclusion that it is most likely not a hidden backdoor, but instead an insecure/vulnerable design that introduces great risk to the patient monitor users and hospital networks. Their conclusion is mainly based on the fact that the vendor—and resellers who re-label and sell the monitor—list the IP address in their manuals and instruct users to configure the Central Management System (CMS) with this IP address within their internal networks. h/t: ; cc: Note: there's associated vulnerabilities: (CVSSv4: 7.7/v3.1: 7.5 high) Hidden Functionality vulnerability in Contec Health CMS8000 Patient Monitor (CVSSv4: 8.2 high/v3.1: 5.9 medium) Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Contec Health CMS8000 Patient Monitor
Dissent@DataBreaches.Net - 10d

Major Australian IVF Provider Genea Suffers Cyber Incident - Australian IVF provider Genea experienced a cyber incident with unauthorized data access, disrupting patient services and raising concerns about healthcare data security.
Major Australian IVF provider Genea has confirmed a cybersecurity incident where an unauthorized third party accessed its data. The company detected suspicious activity on its network and promptly shut down some systems and servers to investigate the extent of the breach. Genea is working to determine what specific data was compromised and is taking steps to secure its systems. The incident disrupted patient services, including phone lines, the Genea app, and email communications, causing frustration for patients who rely on the clinic's data processing systems for critical blood test data related to their IVF treatment cycles.

This cyber incident has raised concerns about the security of patient data at healthcare providers. Genea has stated that it is "urgently investigating" the incident and will contact any individuals whose personal data has been compromised. The clinic is also working to restore systems and minimize disruptions to services, assuring patients that their privacy and data security are taken very seriously. Genea has multiple clinics across Australia and is working to ensure minimal disruption to patient services.

Recommended read:
References :
  • Carly Page: Australian IVF giant Genea has disclosed a cybersecurity incident that disrupted patient services and led to the access of potentially sensitive information
  • ciso2ciso.com: Australian IVF Clinic Suffers Data Breach Following Cyber Incident – Source: www.infosecurity-magazine.com
  • www.cybersecurity-insiders.com: Genea Australia data breach and Black Basta Ransomware gang data leak Genea IVF Australia, a leading fertility service provider and one of the three largest in the country, has confirmed that it has fallen victim to a significant cyberattack, resulting in a data breach.
  • DataBreaches.Net: Major Australian IVF provider Genea suffers ‘cyber incident’
  • techcrunch.com: Australian IVF giant Genea has disclosed a cybersecurity incident that disrupted patient services and led to the access of potentially sensitive information
  • kirbyidau.com: Incident: Australian IVF provider Genea in cyber incident | iTnews
  • www.scworld.com: Cyberattack compromises leading Australian IVF provider's data
  • kirbyidau.com: Kirbyidau - Australian IVF provider Genea in cyber incident | iTnews
  • Carly Page: Australian IVF provider Genea confirms hackers have leaked sensitive patient data after Termite listed the firm on its dark web site. A court order prohibiting publication of the stolen data reveals that hackers breached Genea's network on January 31 to steal more than 900GB of information
  • The420.in: Termite Ransomware Gang Breaches Australian IVF Giant Genea
  • bsky.app: The Termite ransomware gang has claimed responsibility for breaching and stealing sensitive healthcare data belonging to Genea patients, one of Australia's largest fertility services providers.
  • thecyberexpress.com: Cyberattack on Australia’s Genea: Stolen Patient Data Hits the Dark Web
Swagta Nath@The420.in - 5d

Termite Ransomware Gang Breaches Australian IVF Provider Genea - Termite ransomware group claims responsibility for breaching Genea, stealing 700GB of sensitive healthcare data, including financial documents, medical reports, and personal identification records.
Australian IVF provider Genea has confirmed a significant cyberattack, with the Termite ransomware gang claiming responsibility for breaching their systems and stealing sensitive patient data. The hackers reportedly accessed Genea's network on January 31st and exfiltrated over 900GB of information. This breach has led to the leaking of patient data on the dark web, raising serious concerns about privacy and the potential misuse of personal health information.

A court order is in place prohibiting the publication of the stolen data, indicating the sensitive nature of the compromised information. The Termite ransomware gang, identified as the perpetrators, are now confirmed to have stolen 700GB of data.

Recommended read:
References :
  • Carly Page: Australian IVF provider Genea confirms hackers have leaked sensitive patient data after Termite listed the firm on its dark web site. A court order prohibiting publication of the stolen data reveals that hackers breached Genea's network on January 31 to steal more than 900GB of information
  • thecyberexpress.com: Termite ransomware group has allegedly leaked sensitive patient data following the Genea cyberattack, targeting one of Australia’s leading fertility providers.
  • The420.in: The Termite ransomware gang has taken responsibility for breaching Genea, one of Australia’s largest fertility service providers, and stealing sensitive patient data.
  • bsky.app: ​The Termite ransomware gang has claimed responsibility for breaching and stealing sensitive healthcare data belonging to Genea patients,  one of Australia's largest fertility services providers.
  • bsky.app: BleepingComputer article on Genea Breach by Termite Ransomware Gang
  • www.cysecurity.news: Australian IVF Giant Genea Suffers Data Breach Following Cyber Incident
@www.fda.gov - 28d

Critical Vulnerabilities Found in Contec and Epsimed Patient Monitors - The FDA and CISA issued warnings regarding cybersecurity vulnerabilities in Contec CMS8000 and Epsimed MN-120 patient monitors, which could allow unauthorized access and manipulation of the devices, posing potential risks to remote patient care.
References: securityboulevard.com , AAKL
The FDA and CISA have issued warnings regarding cybersecurity vulnerabilities found in Contec CMS8000 and Epsimed MN-120 patient monitors. These monitors, often used for remote patient care in homes and hospice settings, present potential risks when connected to the internet. The agencies advise users to disconnect these devices from the network where possible.

These vulnerabilities could allow unauthorized access and manipulation of the devices. CISA discovered a backdoor function with a hard-coded IP address in all analyzed firmware versions of the Contec CMS8000. The identified risks include the potential for unauthorized transmission of patient data and remote code execution, with one vulnerability scoring a critical 9.8 CVSS. These patient monitors display vital patient information including temperature, heartbeat and blood pressure.

Recommended read:
References :
  • securityboulevard.com: Security Boulevard article on the vulnerabilities in Contec and Epsimed patient monitors.
  • AAKL: Claroty, from yesterday: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…

Research Tools