DaVita, a major provider of kidney dialysis services, has confirmed a significant data breach, revealing that a ransomware attack compromised the personal and health information of approximately 2.7 million people. The breach, which occurred in the spring of 2025, saw attackers gain unauthorized access to DaVita’s network and steal highly sensitive information from its dialysis labs database. This incident has raised serious concerns about the security of patient data, especially for a company that serves over 265,000 patients across thousands of outpatient dialysis centers worldwide. The company is now facing the fallout, including the need to notify affected individuals and address the financial and reputational damage.
The cyberattack first came to light in April when DaVita filed a report with the U.S. Securities and Exchange Commission (SEC), noting a disruption to its operations after parts of its network were encrypted. A dedicated website later provided more detail, stating that the attackers had access to the company’s systems from March 24 until they were detected and evicted on April 12. During this period, the threat actors were able to exfiltrate a vast amount of data. This delay in detection and notification has sparked criticism and is the subject of ongoing investigations and potential lawsuits.
The stolen information is a trove of personal and medical data, posing a significant risk to the affected individuals. The breach exposed a combination of personal identifiers such as names, addresses, dates of birth, and Social Security numbers. It also compromised sensitive health information, including an individual’s condition, treatment details, and dialysis lab test results. For some individuals, the stolen data was even more extensive, including tax identification numbers and images of personal checks. This breadth of compromised information increases the potential for identity theft, financial fraud, and other malicious activities.
Although DaVita did not publicly name the perpetrator, the Interlock ransomware gang claimed responsibility for the attack in late April. The group alleged they had stolen roughly 1.5 terabytes of data and, after failed negotiations, leaked a portion of it on their dark web portal. DaVita’s subsequent investigation confirmed the legitimacy of these leaked files, finding that some had indeed been stolen from its dialysis labs. This confirmation underscored the severity of the breach and the immediate threat to the privacy of its patients.
The Interlock ransomware operation is a relatively new but aggressive player in the cybercrime landscape, emerging in September 2024 with a focus on targeting healthcare organizations. The gang has been linked to other notable attacks and malware campaigns, demonstrating a sophisticated approach to infiltrating and compromising networks. The DaVita breach is part of a troubling trend of cybercriminals targeting the healthcare industry, highlighting the vulnerability of critical healthcare infrastructure and the urgent need for robust cybersecurity measures to protect sensitive patient information.
Reference:
