Rhysida Ransomware Group Claims Responsibility for Axis Health System Cyberattack

by

Network of behavioral health facilities, AXIS Health System based in Colorado, has published a notification on its website about encountering a cyber incident. Not much information is provided about the nature of the attack except the initiation of incident response protocols. Investigation is ongoing to know the nature and extent of the breach. In case of a breach of patient information, HIPAA compliance requires sending notification by direct mail will be sent by AXIS Health to affected individuals.

The Rhysida ransomware group claims the theft of patient data during the attack. This ransomware-as-a-service group targets healthcare providers in its attacks. Barracuda Networks’ analysis of H1 2024 shows that Rhysida was responsible for 8% of ransomware attacks from August 2023 to July 2024. 38% of the victims targeted by the group were healthcare organizations.  Some of the recent attacks involved Community Care Alliance in Rhode Island, BayHealth Healthcare System in Delaware, Prospect Medical in California, and Ann & Robert H. Lurie Children’s Hospital in Chicago.

The group uses double extortion tactics in its attacks, stealing information before file encryption. Rhysida has a dark website where the group lists victims of their attacks,  uploads stolen data, and leaks it. But unlike other RaaS groups, Rhysida tries to sell the stolen information and just resorts to exposing the data if it fails to sell the data. On October 10, 2024, Rhysida took responsibility for attacking nonprofit AXIS Health and demanded 25 BTC ransom (about $1.58 million) as ransom payment within 7 days. The group uploaded screenshots of the data allegedly stolen to the data leak site as evidence of the attack. The screenshots seem to contain some patient information. The group states that it will auction the stolen information to one buyer when no ransom payment is given. AXIS Health has to pay the 25 BTC ransom (about $1.58 million) by October 17, 2024. The dark website does not say the volume of data stolen.

Another Rhysida attack recently identified is on Golden Age Nursing Home based in Guthrie, OK. Rhysida demanded from this Medicare-certified short-term nursing and rehabilitation service company a 10 BTC ransom to stop the sale/exposure of $102 GB of stolen data. Golden Age did not pay the ransom resulting in the leakage of the stolen data.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]