Cyber Incident Victim: Axis Health System
Date:
Jan 2024
Location:
United States of America
Summary
A cyberattack targeted a Colorado healthcare nonprofit managing 13 facilities, disrupting its patient portal and forcing communications with providers to shift to phone calls. The Rhysida ransomware gang claimed responsibility, demanding over $1.5 million to unlock data, while the organization initiated incident response protocols to halt the activity and investigate potential data exposure. The nonprofit stated affected individuals would be notified if patient data was compromised, though the investigation remained ongoing. The incident coincided with broader security research highlighting vulnerabilities in healthcare systems, including exposed medical imaging servers and electronic health record platforms, though these findings were not directly linked to the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Axis Health System, a nonprofit healthcare organization operating 13 facilities across southwest and western Colorado, publicly confirmed a cyberattack affecting its primary care patient portal during the week of January 1, 2024. The organization discovered unauthorized activity compromising its systems, though the exact start date of the incident remained unspecified. Upon detection, Axis activated its incident response protocols to contain the breach, halting the malicious activity and initiating an investigation into the nature and scope of the compromise. The patient portal—critical for communication between providers and patients—was taken offline as a direct result of the attack. Patients were instructed to contact clinics directly via phone for urgent communications or inquiries while systems remained inoperable. Axis stated it would notify affected individuals by mail if the investigation confirmed unauthorized access to patient data, though this determination remained pending at the time of reporting. The organization did not disclose technical details about the attack vector, data exfiltration, or operational disruptions beyond the portal outage.
On January 4, 2024, the Rhysida ransomware gang claimed responsibility for the attack, demanding a ransom payment exceeding $1.5 million to decrypt Axis’s data. Rhysida has targeted multiple healthcare entities and government institutions in preceding months, including Prospect Medical hospitals and municipal governments in Columbus, Ohio, and Seattle, Washington. Concurrently with the Axis disclosure, cybersecurity firm Censys published research revealing broader vulnerabilities in healthcare infrastructure, identifying 14,004 exposed IP addresses globally linked to medical devices and data systems—including 36% tied to medical imaging servers and 28% to electronic health record platforms. Over 5,100 exposed DICOM servers, used for transmitting sensitive medical images like MRIs and CT scans, were attributed primarily to radiology providers and hospital imaging departments lacking adequate access controls. While Censys notified all exposed entities, the report underscored systemic risks from internet-facing healthcare systems without multi-factor authentication or network segmentation. Axis Health System had not released further updates regarding restoration timelines, data compromise verification, or ransom negotiation status by the article’s publication date.