Cyberattack targets healthcare nonprofit overseeing 13 Colorado facilities

A prominent hospital system in Colorado said a cyberattack is affecting the portal patients use to communicate with providers. 

Axis Health System operates 13 facilities serving thousands of people across southwest and western Colorado. The nonprofit posted a message on its website this week confirming it is experiencing a cyber incident. 

It is unclear when the incident started and Axis Health did not respond to requests for additional information. 

“Upon discovery, Axis quickly followed its incident response protocol and took steps to stop the activity and investigate the nature and scope of the incident,” they said. “If it is determined that patient data was impacted, affected individuals will be notified directly by mail. We are still investigating this incident.”

The organization added that its primary care patient portal is currently offline. 

“If you need to communicate with your provider or for other inquiries, please call your clinic directly,” officials urged patients. 

The attack was claimed on Thursday by the Rhysida ransomware gang, which demanded more than $1.5 million to unlock the data. 

The group has become well known for attacking hospital systems and governments, with several notable incidents over the last year affecting hospitals run by Prospect Medical as well as the governments of Columbus, Ohio and Seattle, Washington. 

Healthcare devices exposed

The attack came to light on the same day that security research firm Censys published a report spotlighting the danger healthcare organizations face when they expose devices and systems to the internet.

Researchers found 14,004 unique IP addresses exposing healthcare devices and data systems connected to potentially sensitive medical information on the public internet. 

“These exposures greatly raise the risk of unauthorized access and exploitation. This figure likely reflects the lower bound of the total risk, as many more devices may be exposed but not publicly visible,” they said.

Almost half of the devices found are located in the United States, and India also had a sizable proportion of devices exposed.

Servers used to handle medical images accounted for 36% of those discovered while electronic health record (EHR) systems accounted for 28% of devices exposed. 

Some of the other platforms exposed include NextGen Healthcare’s Mirth Connect — in May, CISA issued a warning about the active exploitation of a vulnerability in the tool that allowed unauthenticated attackers to compromise login gateways and access sensitive healthcare data.

Censys also found about 5,100 publicly-exposed servers running DICOM, or “Digital Imaging and Communications in Medicine” — a network protocol used to transmit medical images such as MRIs and CT scans.

Censys said most of the exposed servers it identified seem to be tied to independent radiology and pathology service providers, as well as imaging departments within larger hospital networks.

“It’s likely because radiology practices and researchers often need to share and review images with external parties outside of their networks, leading to configurations that prioritize accessibility over security,” they explained. “This often results in DICOM servers and interfaces being deployed on the public internet without proper access controls like firewalls or VPNs.”

Censys said it contacted all of the organizations it found to notify them of their exposure and said healthcare leaders as well as lawmakers have to institute rules that limit access to systems holding sensitive data and mandate multi-factor authentication.