Eric Jones, MIE's chief operating officer, said that the software developer is fully cooperating with the FBI and that it wasn't responsible for the database changes at ONE or the placement of the back door in the clinic's system.

"We don't use back doors in our software, period," Jones said. "We don't believe in them." MIE officials "are hopeful that the investigation will be wrapped up soon," he added. "We don't expect that anything would come of this."

Raymond Kusisto, the clinic's CEO, said via e-mail that ONE had little to add about the hacking incident beyond the information that was disclosed by Plesko. "Once the FBI investigation is complete, we'll hopefully learn some things that may be appropriate to share," Kusisto said.

An FBI spokeswoman in the agency's Indianapolis office declined to confirm or deny that an investigation is taking place, citing U.S. Department of Justice policies.

The incident highlights the need for companies to pay special attention to the dangers posed by embedded back doors, Kessler said. It also shows, he added, that when IT managers set up trusted VPN connections with third parties, "you are indirectly trusting the people they are trusting."