Smart Meter Warns of Foreign Data Routing Risks in Connected Medical Devices
Smart Meter, a U.S.-based provider of cellular-enabled remote patient monitoring (RPM) devices, is raising concerns about the security of sensitive health data transmitted by some connected medical devices. The company warns that patient information from certain devices may be routed through servers located in China and other foreign nations before reaching U.S. healthcare providers — potentially exposing it to surveillance or misuse.
This issue has drawn increasing attention amid heightened scrutiny of U.S.-China data flows. Federal agencies and lawmakers have expressed concerns about national security risks posed by health data being processed through foreign infrastructure.
New DOJ Rule Imposes Restrictions
In response to these concerns, the U.S. Department of Justice issued a new rule on April 8, 2025, limiting the transfer of personal data to foreign adversaries, including China. The DOJ provided a 90-day enforcement discretion period — ending on July 8, 2025 — during which civil enforcement actions will not be prioritized for organizations making good-faith efforts to comply. However, intentional violations remain subject to enforcement.
Criminal penalties for willful misconduct may include:
- Fines up to $1 million
- Imprisonment up to 20 years
- Penalties for knowingly facilitating prohibited transfers or attempting to bypass the regulations
Shared Responsibility for Data Security
The new rules also shift liability expectations, making it possible for both RPM vendors and healthcare providers to be held jointly responsible for data breaches — even if the breach stems from a third-party service.
This change, Smart Meter says, should prompt providers to closely evaluate the data security practices of their technology partners.
“Healthcare data is among the most sensitive information that can be collected, and our government officials are concerned about where that data is sent,” said Casey Pittock, CEO of Smart Meter. “Routing personal health data through China exposes it to foreign surveillance and increases the risk of breaches or misuse.”
Data Infrastructure Matters
Smart Meter highlights that some RPM devices operating in the U.S. still rely on cloud services or infrastructure hosted abroad. This could mean that patient data such as blood pressure, glucose levels, or weight is sent internationally — sometimes without patients’ or providers’ knowledge.
In contrast, Smart Meter states that its cellular-enabled devices — including iGlucose, iBloodPressure, iPulseOx, and iScale — operate exclusively within a HIPAA-compliant U.S. infrastructure, transmitting data directly through a dedicated AT&T network.
“For all new products, Smart Meter performs a forensic analysis before releasing them for public use,” said Derek Trauger, CTO of Smart Meter. “We work closely with our manufacturers to identify potential vulnerabilities that could allow healthcare data to be exposed to countries of concern. Any company not performing this level of analysis is putting patient data at risk.”
Urging Providers to Act
As the DOJ’s grace period closes, Smart Meter urges healthcare providers to:
- Ask vendors where data is routed and stored
- Review compliance documentation and audits
- Choose partners with U.S.-based data infrastructure
The company emphasizes the importance of transparency and due diligence in protecting health data from international exposure and potential misuse.
