WASHINGTON—The hackers who seriously disrupted operations at a large hospital chain recently and held some data hostage broke into a computer server left vulnerable despite urgent public warnings since at least 2007 that it needed to be fixed with a simple update, The Associated Press has learned.
The hackers exploited design flaws that had persisted on the MedStar Health Inc. network, according to a person familiar with the investigation who spoke on condition of anonymity because this person was not authorized to discuss the findings publicly. The flaws were in a JBoss application server supported by Red Hat Inc. and other organizations, the person said.
The FBI, which is investigating, declined to discuss how the hackers broke in.
The JBoss technology is popular because it allows programmers to write custom-built software tools that can be quickly made available across a company, but security researchers discovered it was routinely misconfigured to allow unauthorized outside users to gain control. The U.S. government, Red Hat and others issued urgent warnings about the security problem and a related flaw in February 2007, March 2010 and again earlier this week. The government warned in 2007 the problem could disrupt operations and allow for unauthorized disclosures of confidential information.
