DOJ Raises Red Flag Over Foreign Data Routing in Connected Medical Devices Department of Justice cites growing national security risk around health data sent overseas

Washington, D.C. — — The U.S. Department of Justice (DOJ) has issued new warnings about the growing national security risks associated with connected medical devices that route sensitive patient data through foreign servers. As remote patient monitoring (RPM) becomes a standard part of chronic care management, officials say the data handling practices of some vendors may be exposing U.S. patients—and the healthcare system—to unintended foreign influence and surveillance.

The DOJ’s concerns stem from reports that certain RPM providers may be using offshore cloud services, allowing data to be stored or processed outside the United States. While the use of global infrastructure is not uncommon in the tech sector, the DOJ argues that healthcare data requires heightened safeguards due to its sensitive nature and potential for misuse.

In particular, data routed through jurisdictions with looser privacy protections—or subject to foreign intelligence laws—could be accessed by governments or actors beyond U.S. oversight. “This is not just about privacy violations,” said a senior DOJ official. “It’s about national resilience and ensuring that critical patient information cannot be intercepted or manipulated by foreign entities.”

Healthcare vendors under increased scrutiny

The DOJ’s comments arrive at a time of increased scrutiny of health tech vendors and their data policies. While many vendors emphasize speed, scalability, and affordability, the DOJ is urging the industry to weigh the risks of foreign infrastructure, especially in light of ongoing geopolitical tensions.

The agency’s position is gaining traction across federal agencies concerned with critical infrastructure. Officials point to the rapid expansion of RPM—fueled by CMS reimbursement and value-based care models—as a vector for unintended data exposure.

Smart Meter responds to DOJ concerns

In response to the DOJ’s statements, Smart Meter, a U.S.-based provider of remote patient monitoring solutions, highlighted the importance of domestic data handling. The company reaffirmed its commitment to routing all patient data exclusively through U.S.-based, HIPAA-compliant servers.

“We fully support the DOJ’s position,” said Casey Pittock, CEO of Smart Meter. “As a country, we can’t afford to outsource the storage or transmission of sensitive health data to foreign jurisdictions. Patients, providers, and the healthcare system deserve better.”

Pittock emphasized that Smart Meter’s own infrastructure avoids these risks by using only secure, domestically hosted services. “We take data security seriously, and it’s clear that national leaders do, too,” he added.

Security risks go beyond compliance

The DOJ also warned that even if a system is technically compliant with HIPAA, the use of foreign infrastructure could still pose national security concerns. “The issue isn’t only whether a system is compliant—it’s about control,” said the DOJ official. “When data travels overseas, so does the authority to protect it.”

Recent cyberattacks on U.S. healthcare systems and critical infrastructure have heightened awareness about the vulnerability of cloud-connected services. Experts say the risk is compounded in cases where vendors use offshore or third-party providers that fall outside the reach of U.S. enforcement or privacy standards.

Call for industry action

As the healthcare sector continues to digitize, DOJ officials are calling on RPM vendors and healthcare providers to conduct thorough audits of their cloud infrastructure and data routing practices.

“Organizations should demand transparency from their vendors,” said the DOJ source. “They need to ask: Where is the data going? Who can access it? And how do we ensure it’s protected—not just legally, but geopolitically?”

Healthcare leaders are increasingly echoing this view, warning that a rush toward low-cost, high-speed solutions should not undermine the integrity of patient care or the security of U.S. infrastructure.