NorthAxis Clinical Technologies incident wipes 28,000 devices after attackers abuse internal management platform

March 18, 2026 — NorthAxis Clinical Technologies says an incident involving unauthorized access to its internal systems led to the remote wipe of approximately 28,000 corporate devices, with attackers leveraging the company’s own management platform to execute the action.

The company, which develops and supports connected medical and clinical systems, confirmed that the disruption impacted internal corporate endpoints used across operations, support, and administrative teams.

According to sources familiar with the response, the attackers gained access to an enterprise endpoint management system used to deploy updates and enforce device policies across the organization. Rather than deploying malware, the threat actor issued legitimate administrative commands through the platform, triggering a mass reset of devices.

The commands were authenticated and executed within normal system workflows, allowing the activity to proceed without being immediately flagged as malicious.

The wipe affected devices across multiple departments, including customer support and field operations, with impacted systems reset to factory settings and local data removed. Employees were locked out of corporate environments as recovery efforts began.

NorthAxis Clinical Technologies has not publicly attributed the incident, but sources indicate the activity is consistent with tactics used by politically charged hacktivist groups, where disruption is prioritized over data theft.

There is currently no evidence that malware was deployed in the environment. Instead, the incident appears to have relied entirely on abuse of trusted administrative tools and existing system privileges.

The company stated that clinical systems and patient-facing technologies were not directly impacted, though internal operations supporting those environments experienced disruption.

Recovery efforts are underway, with teams working to restore affected devices and review access controls around centralized management systems. It remains unclear how access to the platform was initially obtained.

The incident highlights a growing trend in cyber operations, where attackers increasingly rely on legitimate tools and authorized access to carry out large-scale disruption, particularly in environments where centralized systems control large fleets of devices.

Breaking down systems, one layer at a time. — Mira Evans