Texas Governor Instructs State Agencies to Audit Chinese Medical Devices

Posted by Steve Alder

Texas Governor Greg Abbot has ordered all state agencies and state-owned medical facilities to conduct an audit of patient monitoring devices to ensure that they do not have unresolved vulnerabilities that could be exploited to gain access to Texans’ sensitive health information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United States Food and Drug Administration (FDA) have issued warnings about vulnerabilities in patient monitoring devices manufactured in China. Devices have been found to contain a backdoor that can be used by a remote attacker to gain access to sensitive patient data.

There has been a proliferation of Chinese-manufactured medical devices within the U.S. healthcare system. The concern is that these devices have backdoors that can be exploited by state-sponsored hacking groups to obtain the private medical information of Americans. Governor Abbot wants to make sure that the private medical data of Texans cannot be obtained by China. “I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data,” Governor Abbot said in a letter to the Texas Health and Human Services Commission (HHSC), Texas Department of State Health Services (DSHS), and the Texas Cyber Command (TXCC).

Governor Abbot has directed state agencies to take action to ensure that sensitive medical data is protected. HHSC and DSHS have been asked to review all state-owned medical facilities under their jurisdiction and attest that all new purchases of medical devices were procured in compliance with the November 19, 2024, Executive Order GA-48, which requires the hardening of cybersecurity by the state government.

HHSC, DSHS, and public systems of higher education are required to catalog all state-owned medical devices capable of transmitting data via a network, or that can be accessed remotely, and share that inventory with TXCC. Assisted by TXCC, HHSC, DSHS, and public systems of higher education, are required to review their cybersecurity policies related to the protection of personal health information at all state-owned medical facilities under their jurisdiction, and specifically include how policies address FDA and CISA-issued alerts for internet-connected medical devices.

TXCC has been instructed to review whether Contec CMS8000 and Epsimed MN-120 patient monitors, and any other devices used by HHSC, DSHS, and public systems of higher education, have been the subject of an FDA safety notice, and to ensure that any that have are placed on the prohibited technology list.

TXCC is also required to convene appropriate executives at HHSC, DSHS, and public systems of higher education and make recommendations for addressing emergent cybersecurity risks, monitoring of devices, and mitigation strategies. Governor Abbot has committed to proposing legislation in the next session to better protect Texans’ private medical data from hostile foreign actors, such as China.

The post Texas Governor Instructs State Agencies to Audit Chinese Medical Devices appeared first on The HIPAA Journal.

Trump Administration Announces Aggressive Cyber Strategy

Posted by Steve Alder

The Trump administration has announced its long-awaited cybersecurity strategy. While light on detail, the Trump administration has committed to deploying the full suite of defensive and offensive cyber operations available to the U.S. government and will aggressively target transnational cybercrime groups to protect Americans.

For many years, cybercriminals have targeted the United States more than any other country, and cyberattacks have been growing in volume and sophistication. Financially motivated cybercriminals and state-sponsored hacking groups continue to target the U.S. government and private sector firms, with Russia, China, Iran, and North Korea posing the greatest threat to critical infrastructure and national security. In contrast to published strategies from past administrations, none of these countries is named in the policy document.

The document – President Trump’s CYBER STRATEGY for America – announces six policy pillars that underpin the strategy. Each of the six policy pillars is vital for national security; however, the document lacks detail on how the U.S. government will achieve those cybersecurity goals. The strategy includes only 5 pages of text, two of which are introductory pages boasting of the might of the United States, America’s wealth of cybersecurity talent, and its unrivalled technological and economic innovation.

Regarding talent, the U.S. government has lost a considerable amount during President Trump’s second term, including the heads of the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA). Neither agency currently has a Senate-confirmed leader, and CISA has lost around one-third of its workforce under the current administration.

That said, the strategy is welcome news and will guide the efforts of the United States in targeting cybercriminals and nation-state actors. By improving defenses and aggressively targeting cybercriminal gangs, the Trump administration plans to make it much harder for adversaries’ cyber operations to succeed by eroding their capabilities and raising the costs for their aggression.

“By disrupting adversaries’ cyber campaigns and making our networks more defensible and resilient, we will unleash innovation, accelerate economic growth, and secure American technology dominance. We will remove burdensome, ineffective regulations so that our industry partners innovate quickly in emerging technologies. Partners in the private sector must be able to respond and recover quickly to ensure continuity of the American economy,” explained President Trump in the cyber strategy document.

The six pillars outlined in the strategy for guiding the U.S. government are:

  • Shape adversary behavior – Full use of government resources for tackling cybercrime and incentivizing the private sector to help identify and disrupt adversary networks. “We will uproot criminal infrastructure and deny financial exit and safe haven.”
  • Promote common sense regulation – The administration plans to streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally.
  • Modernize and secure federal government networks – Accelerating the modernization of federal information systems by implementing cybersecurity best practices, post-quantum cryptography, zero-trust architecture, and cloud transition.
  • Secure critical infrastructure – Harden defenses and information and operational technology supply chains to deny adversaries access and ensure a rapid response and recovery in the event of a successful attack
  • Sustain superiority in critical and emerging technologies – Building secure technologies and supply chains, supporting the security of cryptocurrencies and blockchain technologies, promoting post-quantum cryptography and secure quantum computing, and securing the AI technology stack and promoting innovation in AI security.
  • Build talent and capacity – Ensuring there is investment in America’s cyber workforce, the creation of a pipeline that develops and shares talent, and the elimination of roadblocks that prevent industry, academia, government, and the military from aligning incentives and building a highly skilled cyber workforce.

The cyber strategy is accompanied by a new Executive Order that targets transnational criminal organizations that engage in cybercrime, fraud, and predatory schemes targeting American families, businesses, and critical infrastructure. The Executive Order specifically targets the most prevalent and costly cybercriminal operations, including ransomware attacks, phishing campaigns, financial fraud, sextortion schemes, and impersonation scams.

The Executive Order directs administration officials to conduct a comprehensive review of the operational, technical, diplomatic, and regulatory tools for combatting cybercriminal gangs, establishes a dedicated operational cell within the National Coordination Center (NCC) tasked with creating an action plan that identifies the groups responsible for scam centers and cybercrime and solutions for prevention, investigation, detection, disruption, and dismantling those groups’ operations.

The Attorney General has been instructed to prioritize prosecutions of cyber-enabled fraud and scam schemes, pursuing the most serious, provable offenses, and create a  Victims Restoration Program to ensure that seized and forfeited funds are directed to the victims of cybercrime. The Secretary of the Department of Homeland Security has been tasked with working with state and local partners and providing training, technical assistance, and resilience building against cyber threats.

The reception of the cyber strategy has been largely positive, although the policy has attracted some criticism for failing to state how the U.S. government will achieve its cybersecurity goals.  “The National Cyber Strategy represents an important step in aligning federal cyber policy with the scale and complexity of today’s threats. However, the hard work begins now, and that’s translating the vision into ambitious-yet-achievable operational outcomes. Consequence-based prioritization will be essential to ensure finite federal and private-sector resources are focused on the systems where disruption would have the greatest national impact,” said Matthew Hartman, Chief Strategy Officer at Merlin Group, a network of affiliates that invests in, enables, and scales cyber technology companies. “At the same time, this is an opportunity to clarify how government and industry divide responsibility for defining and delivering shared security and resilience outcomes. If implemented effectively, the strategy can help drive coordinated action across government and strengthen resilience across the infrastructure that underpins the U.S. economy and national security.”

“President Trump’s Cyber Strategy for America puts operational effect ahead of “compliance theater.” From a practitioner’s perspective, the emphasis on modernizing federal systems with zero trust, post‑quantum cryptography, and AI‑enabled defense—while streamlining duplicative regulation—is directionally appropriate,” said Bruce Jenkins, Chief Information Security Officer, Black Duck, an application security solution provider.The real test and historical challenge will be in execution: translating these pillars into clear requirements, faster procurement, and measurable risk reduction across government and the defense industrial base.”

The post Trump Administration Announces Aggressive Cyber Strategy appeared first on The HIPAA Journal.

February 2025 Cyberattack Affected More Than 230K Bell Ambulance Patients

Posted by Steve Alder

Bell Ambulance has confirmed that the protected health information of more than 230,000 patients was compromised in a February 2025 cyberattack. Data breaches have also been reported by Northwest Medical Homes in Oregon, and the New York Plastic surgeon, Alexes Hazen, MD.

Bell Ambulance, Wisconsin

Bell Ambulance, a Milwaukee, Wisconsin-based ambulance service, has notified the Maine Attorney General that a hacking incident identified in February 2025 has affected 237,830 individuals. Bell Ambulance detected unauthorized activity within its network on February 13, 2025. Third party cybersecurity experts were engaged to investigate the data breach, and confirmed that the protected health information of 114,000 individuals had been compromised in the incident. Notification letters were sent to those individuals on April 18, 2025; however, the data review had not yet concluded.

It has taken a year to review all data potentially compromised in the incident. On January 15, 2026, additional individuals were notified that they had been affected, and the data review concluded on February 20, 2026. Additional notification letters were mailed on March 9, 2026. Data compromised in the incident included first and last names, birth dates, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information. Bell Ambulance has offered the affected individuals complimentary credit monitoring and identity theft protection services for 12 or 24 months as a precaution. Bell Ambulance said it is unaware of any misuse of the impacted data at the time of issuing notification letters.

Northwest Medical Homes, Oregon

Springfield, Oregon-based Northwest Medical Homes, LLC, has notified certain patients about a cybersecurity incident first identified on May 13, 2025. Third party cybersecurity experts were engaged to help secure its systems, investigate the incident, and harden and enhance system security. The investigation confirmed that patients’ protected health information may have been compromised in the incident.

The breach notice submitted to the California Attorney General does not state what types of data were compromised in the incident, other than names and addresses. The individual notification letters state the exact types of data compromised for each patient.

Law enforcement has been notified, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 or 24 months as a precaution. Northwest Medical Homes said it was unaware of any data misuse at the time of issuing notifications. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Alexes Hazen, MD, PLLC, New York

Alexes Hazen, MD, PLLC, a New York-based board-certified plastic surgeon, has recently announced a cybersecurity incident and data breach. The practice learned about the incident on or around January 20, 2026, and started working with law enforcement and third-party cybersecurity experts to determine the nature and scope of the incident.

The investigation confirmed that an unauthorized third party accessed certain computer systems between June 23, 2025, and July 15, 2025, and may have exfiltrated a limited amount of patient data. The review of the affected data is ongoing, but it has been confirmed that the types of information compromised in the incident include names, dates of birth, demographic information, Social Security numbers, government-issued ID numbers, medical histories, conditions, procedure/diagnosis information, medical information, insurance information, payment information, and photographs.

Notification letters are being mailed to the affected individuals, and steps have been taken to harden security to prevent similar incidents in the future. The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals. The total will be updated when the file review is concluded.

The post February 2025 Cyberattack Affected More Than 230K Bell Ambulance Patients appeared first on The HIPAA Journal.