Hackers leak thousands of confidential files from Axis Health System

Highly sensitive information was released after cyber attacks and $1.6 million ransom demand
Axis Health System was the victim of a cyberattack that led to the release of thousands of documents including confidential patient records. (Shane Benjamin/Durango Herald file)

Confidential files from Axis Health System that contain sensitive information including patient names, their addresses, treatment records and other personally identifying information were leaked by hackers Thursday.

Rhysida, a ransomware group, breached the health system last week and demanded 25 bitcoin – about $1.6 million – in ransom by Thursday. According to the group’s website, some of the 2.8 terabytes of data stolen was sold and the rest was posted on the dark web.

Axis provides mental and behavioral health, as well as substance use treatment at 13 locations across the Western Slope.

Hundreds of thousands of leaked documents, some of which were reviewed by The Durango Herald, contain not only sensitive employee information, but also confidential patient records protected under the Health Insurance Portability and Accountability Act.

Two Axis employees confirmed to the Herald that confidential information found in the files was accurate.

“It’s pretty worrisome, for sure,” said one employee who the Herald is not naming because she was not authorized to speak for the organization. “We’re all scrambling.”

Axis spokeswoman Haley Leonard-Saunders confirmed Tuesday that there had been a cyberattack. She was tight-lipped Thursday and said that an active investigation was ongoing.

“Nothing has changed,” she said.

In a news release published after Axis was contacted by the Herald, the health system confirmed the publication of internal information and said the breach had occurred between July 9 and Sept. 4.

Leonard-Saunders confirmed that anyone impacted would be notified directly by mail.

In a previous email, she said that Axis quickly followed its incident response protocol and took immediate steps to stop the unauthorized activity and investigate the nature and scope of the incident.

Ransomware attacks on health care systems are increasingly common, said cybersecurity expert Jack Danahy, vice president at Vermont-based NuHarbor Security, because the data those systems retain is considered sensitive and valuable.

“As criminals, the attackers go after them because, No. 1, they're likely to pay the ransoms because they're trying to help people with health care,” Danahy said. “The second reason is that the data that they steal, if they don't get what they're looking for, is more valuable to sell on the market.”

Rhysida, the group responsible, has been around for some time, Danahy said, but has risen to prominence and was the subject of a warning from federal law enforcement last year.

The group was responsible for a monthslong leak at the Lurie Children’s Hospital earlier this year that led to the breach of records belonging to 800,000 patients and left the hospital’s systems offline for several months.

Danahy said it was laudable that Axis was able to bring its system back online so quickly after the breach, given that many organizations are not able to do so.

“That part is good,” he said. “Now that the data is out there, there is really very little that the organization can do to sort of retrieve it.”

Axis’ next steps are likely to be oriented toward preventing future attacks.

Leonard-Saunders did not address whether the Axis had opted to pay the ransom.

“We’re working with experts and we brought in people who specialize in this,” she said.

Danahy added that paying the ransom is generally not advisable.

“We've seen, historically, that in many cases, even when the ransom is paid, the data still gets out,” he said. “So there is no guarantee that once the ransom is paid that it won't happen anyway, because we are dealing with criminals.”

rschafir@durangoherald.com



Reader Comments