A major data breach affecting thousands of patients and staff has shaken Axis Health System, a nonprofit healthcare provider with 13 facilities across Western and Southwestern Colorado. The breach, now linked to the notorious Rhysida ransomware group, has resulted in sensitive files being posted on the dark web, including patient records and employee information.
The breach was first detected as “irregular activity” in August 2024, but further investigation has revealed that unauthorized access occurred between July 9 and September 4. The attack exploited vulnerabilities within the healthcare network’s internal systems, ultimately leading to the exfiltration of data and a ransom demand of 25 Bitcoin—roughly $1.7 million USD at current market rates.
According to Axis Health’s official statement, the cybercriminals “posted files from our network on the dark web,” though the full scope of the leak is still under forensic review. Sources confirm that the stolen data includes personally identifiable information (PII) of both patients and employees.
The attack follows the typical double extortion playbook used by Rhysida: encrypting files while simultaneously threatening to leak the stolen data unless the ransom is paid. The Cybersecurity and Infrastructure Security Agency (CISA), which has tracked Rhysida’s tactics, confirmed that the group frequently targets vulnerable sectors such as healthcare, education, manufacturing, and government.
Cybersecurity expert Kurtis Minder, speaking from Grand Junction, said Rhysida’s phishing infrastructure is “pretty sophisticated,” and that they have previously targeted other healthcare institutions across the U.S. Minder emphasized that AI-powered phishing and spoofed web portals make attacks like these easier to carry out than ever before.
“These breaches are often preventable,” Minder told TorNews.org. “But organizations underestimate the importance of procedural defenses—simple, low-cost practices that could block many of these attacks.”
Axis Health is now urging affected individuals to monitor their credit, freeze accounts, and activate identity protection services. Letters will be sent to patients whose information was compromised, but the long-term impact of the dark web leak is likely to linger.
For now, Rhysida’s leak site continues to showcase Axis Health’s stolen records—another reminder that even trusted community health providers are not immune to ransomware’s reach across the dark web.
