DaVita Reports Ransomware Group Compromised Data of Approximately 2.7 Million Individuals

DaVita, a kidney dialysis firm, has confirmed that a ransomware gang breached its network, resulting in the theft of personal and health information belonging to nearly 2.7 million individuals. The company serves over 265,400 patients across 3,113 outpatient dialysis centres, with 2,660 located in the United States and 453 in 13 other countries. In 2024, DaVita reported revenues exceeding $12 billion, with $3.3 billion generated in the second quarter of 2025. In April, the healthcare provider disclosed in a filing with the U.S. Securities and Exchange Commission (SEC) that its operations were disrupted after attackers partially encrypted its network over a weekend.

The attackers gained access to DaVita’s network on March 24 and were evicted after the company detected the incident on April 12. During their time within the systems, the threat actors stole data from DaVita’s dialysis labs database, which included a mix of personal information such as names, addresses, dates of birth, and social security numbers, as well as health insurance-related and health information, including conditions, treatment details, and dialysis lab test results. For some individuals, the stolen data also encompassed tax identification numbers and, in certain cases, images of personal cheques. The Department of Health’s Office for Civil Rights updated its breach portal, confirming that DaVita reported a total of 2,689,826 individuals had their data compromised in the incident.

While DaVita has not directly linked the attack to a specific ransomware operation, the Interlock ransomware gang claimed responsibility for the breach in late April. Following failed negotiations with DaVita, Interlock leaked the allegedly stolen data on its dark web portal, asserting that it had taken approximately 1.5 terabytes of data from the company’s compromised systems, which included nearly 700,000 files containing sensitive patient records, insurance details, user account information, and financial data. On June 18, DaVita confirmed the legitimacy of some leaked files after discovering that they had been stolen from its dialysis labs. A DaVita spokesperson was not immediately available for comment when BleepingComputer sought further details regarding the breach.

The Interlock ransomware operation emerged in September 2024, targeting victims globally across various industries, with a particular focus on healthcare organisations. Interlock has been linked to ClickFix and malware attacks, during which they deployed a remote access trojan called NodeSnake on the networks of multiple universities in the United Kingdom. More recently, the cybercrime gang also claimed to have hacked Kettering Health, a healthcare giant with over 120 outpatient facilities and more than 15,000 employees. Notably, 46% of environments had passwords cracked during these attacks. 

Categories: Data Breach, Ransomware Attack, Healthcare Security 

Tags: DaVita, Ransomware, Data Breach, Personal Information, Health Information, Interlock, Cybercrime, Dialysis Centers, SEC Filing, Healthcare Organizations