Healthcare Cybersecurity: Backdoored Patient Monitors; NY Blood Center Disrupted by Ransomware; CT Health Center Data Breach

The US Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published documents advising that firmware in some Contec and Epsimed internet-connected patient monitors contain a hardcoded credential backdoor that could be exploited to put patient safety at risk. The backdoor could allow attackers to alter device configurations. The publications also note that the devices collect patient data, including protected health information and personally identifiable information, allowing exfiltration of the data 'outside of the health care delivery environment.' The issue affects Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors. The FDA document includes recommendations for patients and caregivers, healthcare providers, and health care facility staff, including information technology (IT) and cybersecurity staff.

On Sunday, January 26, New York Blood Center Enterprises (NYBCe) detected suspicious activity on their IT systems; third-party investigators confirmed that the incident was a ransomware attack. NYBCe provides blood products to more than 400 healthcare organizations across 17 US states. The attack has caused the organization to postpone blood donor appointments and blood drive events. Over the past year, ransomware attacks have disrupted operations at several other blood donation and pathology organizations, including blood plasma provider Octapharma in April 2024, NHS pathology service Synnovis and South Africa's National Health Laboratory Service (NHLS) in June 2024, and blood donation non-profit OneBlood in July 2024.

On January 30, 2025, Connecticut's Community Health Center (CHC) published a notice disclosing a data breach. Cybersecurity experts brought to investigate "unusual activity" found evidence of unauthorized network access and possible theft of patient health record data, which may include "name, date of birth, address, phone number, email, diagnoses, treatment details, test results, Social Security Number (SSN), and health insurance information," as well as "gender, race, [and] ethnicity," and "[vaccine] guarantor name and vaccine type, dose and date administered," depending on treatment history. Data were not deleted nor encrypted for extortion, and daily operations were not impacted. While the notice states that the cybersecurity contractor "stopped the criminal hacker's access within hours," a concurrent filing with the Maine attorney general clarifies that the breach began October, 2024, but was not discovered and remediated until January 2, 2025. CHC has tightened security and implemented software to detect future threats, also offering 24 months of credit monitoring, "a $1,000,000 insurance reimbursement policy," and assistance recovering from identity theft.

The UK government has published a policy paper, Code of Practice for the Cyber Security of AI, which was created with the intent to 'give businesses and public services the confidence they need to harness AI's transformative potential safely.' The Code of Practice comprises 13 principles, which are grouped into categories of secure design, secure development, secure deployment, secure maintenance, and secure end-of-life. The paper states, 'We believe a Code focused specifically on the cyber security of AI is needed because AI has distinct differences to software. These include security risks from data poisoning, model obfuscation, indirect prompt injection and operational differences associated with data management.'

On January 30, 2025, the Garante, Italy's data privacy regulator, blocked the country's access to DeepSeek. The Garante had insisted on disclosure of the company's data policies: the purpose and legal basis of the data collection, what data are collected and from where, whether users are notified about their data being used, whether data are scraped from the internet, and where the data are stored. Answers from Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence were characterized as "completely insufficient," including a declaration that the companies do not operate in Italy and that European laws do not apply to them. In 2023 the Garante temporarily banned ChatGPT and fined the company ~15 million over violations of the EU's General Data Protection Regulation (GDPR). Groups in Ireland and Belgium are also launching investigations of DeepSeek's collection and use of EU citizens' data. Additionally, DeepSeek is one of six "social media applications that pose a security risk to the State of Texas," banned on all the state's governmental devices after a January 31 proclamation by Governor Greg Abbott. Among other precedents and explanations for the ban, the proclamation cites China-based social media companies' obligations to render user data to the government upon request under PRC law.

Wiz Research has published a blog post describing their discovery of a "publicly accessible ClickHouse database belonging to DeepSeek, which allows full control over database operations," potentially allowing unauthenticated privilege escalation, and including the completely unsecured exposure of "over a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information." The researchers note that while they avoided intrusive inquiries in the interest of ethical practices, it is possible an attacker could steal plaintext passwords and proprietary information directly from the server using SQL queries. According to WIRED, the researchers had no better luck receiving replies from DeepSeek than the press or other organizations, but within a half hour of "[sending] information about the discovery ... to every DeepSeek email address and LinkedIn profile they could find or guess," the database had ostensibly been secured. Wiz concludes by emphasizing that AI is vulnerable to fundamental security risks that may be overlooked due to "futuristic" conceptions and the unprecedented rapidity with which the technology is being adopted.

The Python Package Index (PyPI) has introduced support for project archival, which allows maintainers to indicate that there are unlikely to be future updates for the identified project. Archived projects will continue to be hosted on PyPI, but the designation 'allows users to make better decisions about which packages they depend on, especially regarding supply-chain security, since archived projects clearly signal that no future security fixes or maintenance should be expected.' Facunda Tuesco, Senior Engineer at Tail of Bits, writes, 'Project archival is just the beginning: we're also looking into additional maintainer-controlled project statuses, as well as additional PyPI features to improve both upstream and downstream experiences when handling project 'lifecycles.'

Researchers from the Akamai Security Intelligence and Response Team (SIRT) have identified a Mirai variant, Aquabotv3, that exploits a known command injection vulnerability in certain Mitel phones in an attempt to corral the devices into a botnet capable of launching distributed denial-of-service (DDoS) attacks. The researchers note that the malware variant includes a feature they have not previously observed in Mirai: 'a function (report_kill) to report back to the command and control (C2) when a kill signal was caught on the infected device.' The Mitel vulnerability, CVE-2024-41710, was disclosed last summer.

A report from the UK's National Audit Office (NAO) 'examines whether the government's efforts to improve its cyber resilience are keeping pace with the cyber threat it faces.' In a 2022 Cyber Security Strategy, the UK government said its 'central aim [was] for government's critical functions to be significantly hardened to cyber attack by 2025.' The audit report published last week suggests that the government will not meet that goal, due in large part to dependence on legacy systems, and noted that 'departments have no fully funded remediation plans for half of these vulnerable systems.' NAO examined 58 critical UK government IT systems and found 'significant gaps in their system controls that are fundamental to their cyber resilience.'

On Friday, January 31, Tata Technologies reported a cybersecurity incident to the National Stock Exchange of India. According to the letter, a ransomware incident prompted the multinational company to temporarily suspend some of their IT services. Those services have since been restored. Tata Technologies is a subsidiary of Tata Motors; they focus on automotive design, aerospace, and industrial engineering, and have operations in 27 countries.