Hackers used widely known flaw to attack DC hospital chain

The hackers who infiltrated MedStar Health, one of the Washington area’s largest healthcare providers, exploited a network vulnerability that had been waiting for a simple update since at least 2007, The Associated Press reported.

The government and other security and software companies had warned multiple times over the years about the need for the fix, but MedStar apparently never applied the update.


The company did not give a specific reason why the security shortcoming was never dealt with.

The bug was found in what’s known as a JBoss application server. JBoss technology allows programmers to design specialized software tools for a company.

In a statement to the AP, MedStar Assistant Vice President Ann Nickles said the company "maintains constant surveillance of its IT networks in concert with our outside IT partners and cybersecurity experts.”

“We continuously apply patches and other defenses to protect the security and confidentiality of patient and associate information,” she added.

MedStar, which operates 10 hospitals and over 250 outpatient facilities throughout the Maryland and Washington, D.C., area, fell victim to the cyberattack last week. While the company was able to keep operating without a significant disruption in services, it has taken roughly a week to get most of the company’s networks back online, MedStar said.

The discovery of how the hackers got into MedStar highlights widespread security concerns about the healthcare industry, which has been hammered by cyberattacks in recent years.

The MedStar intrusion was just the latest in a string of so-called ransomware attacks at hospitals, where hackers have remotely locked files and demanded ransom payments in exchange for their return.

One California hospital, Hollywood Presbyterian Medical Center, paid $17,000 to free its computers from hackers.

There's no indication MedStar has had to pay a ransom or that it lost access to files.

In addition to ransomware attacks, the healthcare industry — with its vast troves of personal data — has also become a favorite target for cyber spies.

It’s believed that Chinese hackers last year infiltrated at least two major health insurers, Anthem and Premera Blue Cross, as part of Beijing’s broad cyber espionage program.