A healthcare provider that operates in Western and Southwestern Colorado is alerting patients that their personally sensitive information may have been posted online following a breach of their security systems.
In a press release Thursday, Axis Health System said a “cybercriminal” gained access to their systems, including files for patients and employees.
“We know that the cybercriminal posted files from our network on the dark web,” the release said. “We are in the process of investigating the full nature and scope of the information posted, but it appears the files include patient and employee information.”
Axis Health System has 13 facilities in 11 Colorado towns.
According to cybersecurity groups that track successful hacking attempts, Axis Health was breached by the hacking firm Rhysida, who then demanded a ransom for the data in the sum of 25 Bitcoin. At current prices, that amounts to about $1.7 million in actual money.
The Cybersecurity and Infrastructure Security Agency (CISA), which operates under the Department of Homeland Security, said Rhysida typically targets education, health care, manufacturing, IT and government sectors.
“Rhysida actors reportedly engage in ‘double extortion’ — demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid,” according to CISA.
Kurtis Minder, a Grand Junction-based cybersecurity expert who runs the company GroupSense, told CPR News Rhysida has some “pretty sophisticated phishing campaigns” that have allowed them to breach multiple health care systems.
“They do tend to target health care institutions, which is just awful. But I've seen a lot of it. In fact, the health care institution that my parents use in Illinois was attacked by Rhysida not too long ago,” Minder said.
Minder said advancements in artificial intelligence have made hacking easier. For example, AI can allow groups to code a webpage that looks similar to an existing company in order to trick users into entering security information. He said many of the best defenses for companies being targeted are procedural.
“A lot of (hacks) are preventable if the right precautions are taken, and they're not necessarily expensive precautions, they're more procedural and operational in nature, but companies don't fully understand that yet,” Minder said. “They're getting there, but not yet.”
Concerned Coloradans should consider things like a credit freeze, Minder said, as well as evaluating their own cyber hygiene by using a password manager, employing two-factor authentication wherever possible and making use of identity protection services.
The nonprofit health care provider said the “irregular” activity was first identified in August, and further investigation showed that the hackers gained access to the system between July 9 and Sept. 4 of this year. They said affected patients will be notified by mail, and are encouraging anyone who could be impacted to monitor their credit report and consider a credit freeze on their accounts.
A credit freeze can be done by contacting the three major credit bureaus: Equifax, TransUnion or Experian.