In April 2025, the kidney dialysis giant DaVita disclosed a security incident in an SEC filing, although at the time, it was unclear how much sensitive data was stolen. Over the past 3 months, the investigation and data review have been progressing. State Attorneys General have been notified about the incident, and the scale of the data breach is becoming clearer.
Based on the state AG reports so far, the breach has affected more than 1 million patients; however, while all states have data breach notification laws, only a few publish breach reports, and only a handful publicly disclose the number of state residents affected. The table below shows the confirmed totals, but given that DaVita operates more than 2,675 outpatient dialysis centers in 43 states, the final total could well be several orders of magnitude larger.
State |
Individuals Affected |
Oregon |
915,952 |
Texas |
81,740 |
Washington |
13,404 |
Massachusetts |
7,829 |
Confirmed Total |
1,018,925 |
At present, there is no listing on the HHS’ Office for Civil Rights breach portal. There is often a delay of a week or two between OCR receiving a breach report and adding it to the breach portal, so a listing is expected in the coming two weeks that will confirm how many individuals have been affected.
The notification letters provide further information about the data breach, although they do not mention ransomware. As reported below, the Interlock ransomware group claimed responsibility for the attack and claimed to have stolen 20 TB of data.
DaVita described the cyberattack as “a security incident that resulted in unauthorized access to certain DaVita network servers, primarily at its laboratories.” The intrusion was identified on April 12, 2025, and the threat actor was eradicated from its systems the same day. Third-party digital forensics experts were engaged to investigate the incident and assist with containment, eradication, and remediation.
The investigation confirmed that initial access to its network occurred on March 24, 2025, and continued until April 12, 2025. Data compromised in the incident included the dialysis labs database. The Interlock ransomware group claimed that it had stolen 20+ TB of databases, which included more than 200 million rows of patient data.
DaVita said the types of data involved were determined on or around June 18, 2025. The types of information compromised in the incident vary from individual to individual and may include:
- Demographic information – name, address, date of birth, Social Security number, health insurance-related information, and other identifiers internal to DaVita
- Clinical information – health condition, other treatment information, and certain dialysis lab test results
- Tax information – In limited cases, tax Identification numbers and, for a small subset of individuals, images of checks written to DaVita
DaVita said additional security monitoring tools and enhanced system controls have been implemented to prevent similar incidents in the future. DaVita is unaware of any misuse of patient data as a result of the security incident, but as a precaution, is offering the affected individuals a complimentary membership to the Experian IdentityWorks identity theft protection service for 12-24 months.
April 25, 2025: Ransomware Group Claims Responsibility for DaVita Ransomware Attack; Leaks Data
In mid-April, the kidney dialysis service provider DaVita announced in an SEC filing that it was dealing with a ransomware attack that had encrypted parts of its network. An investigation had been launched to determine its impact and whether any patient data was compromised. DaVita said internal operations faced disruption, but care delivery has continued at its dialysis centers and for patients treated at home, and new patients continued to be accepted.
DaVita has yet to make an announcement about a data breach as the investigation and data review are ongoing; however, the Interlock ransomware group has recently claimed responsibility for the attack and has started to leak some of the exfiltrated data. The Interlock ransomware data leak site claims that 20+ terabytes of sensitive data were stolen, including files containing patient data. The group claims to have attempted ransom negotiations before adding DaVita to its data leak site when the negotiations failed. The listing offers 1.5 terabytes of the stolen data for download, spread across 683,104 files in 75,836 folders. The remainder of the data has not been leaked as the group is holding out for a sale. The group claims to be selling 20+ terabytes of SQL databases that include more than 200 million rows of patient data. The HIPAA Journal has not verified whether any patient data is present in the leaked files.
DaVita has confirmed it is aware of the ransomware group’s claims and is currently engaged in a comprehensive data review and is working as quickly as possible to confirm which individuals have been affected and the types of data involved. Any affected parties and individuals will be notified as soon as possible. DaVita has also promised to share the findings of its investigation with its vendors and partners to raise awareness on how to defend against future attacks.
“Interlock first began adding victims to its data leak site in October 2024. As with most ransomware gangs today, it seeks a ransom payment for the decryption of systems and the deletion of stolen data. Since October 2024, we’ve tracked 13 confirmed attacks via this group and a further 13 unconfirmed attacks that haven’t been acknowledged by the organizations in question,” Rebecca Moody, Head of Data Research at Comparitech told The HIPAA Journal. “As we are seeing with DaVita, ransomware attacks on healthcare companies have the potential for widespread disruption. Not only can patient care be affected when systems are encrypted, but these attacks often have ongoing consequences when data is stolen by hackers. In 2024 alone, nearly 25.7 million individual records were breached across 160 ransomware attacks on US healthcare providers.”
At least two class action lawsuits have been filed against DaVita over the ransomware attack, even though DaVita has yet to confirm a data breach. DaVita disclosed the attack in an SEC filing but is still in the process of investigating the incident, and has not yet disclosed the types of information compromised in the attack or the number of affected individuals. The Interlock ransomware group claimed responsibility for the attack and has added DaVita to its data leak site. The lawsuits, Reid v. Davita Inc., and Jenkins et al v. DaVita were both filed in the U.S. District Court for the District of Colorado, allege the stolen data is already being misused, but there has been no confirmation from DaVita that the plaintiffs’ sensitive data has been stolen, nor have they been offered any assistance with credit monitoring and identity theft protection services. More lawsuits are expected to be filed in the coming days and weeks.
April 15, 2025: Dialysis Provider DaVita Hit with Ransomware Attack
The kidney dialysis giant DaVita has fallen victim to a ransomware attack that resulted in the encryption of parts of its network. The attack occurred on Saturday, April 12, 2025, and is impacting some of its operations, according to a Monday, April 14, 2025, 8K filing with the U.S. Securities and Exchange Commission (SEC).
The Denver, CO-based Fortune 500 firm operates more than 2,650 outpatient treatment centers in the United States, 509 centers in 13 other countries, employs 76,000 people globally, and served around 200,000 patients in the United States last year. In 2024, the company reported revenues of $12.82 billion. DaVita outpatient centers are used by patients with kidney disease which requires frequent dialysis. Any disruption to patient services could therefore have serious health implications for patients.
DaVita explained that its incident response protocols were immediately initiated, and the impacted systems were isolated to contain the attack and limit its impact. Backup systems have been activated, and manual processes have been implemented to ensure that care can continue to be provided to patients. While the DaVita ransomware attack is causing some disruption to operations, all dialysis centers remain open and care continues to be provided to patients.
Interim measures have been implemented to allow the rapid restoration of certain functions, but DaVita is currently unable to provide an estimate of the duration or extent of disruption or a timeline for a full recovery. Third-party cybersecurity professionals have been engaged to assist with the investigation and recovery, and law enforcement has been notified. At present, no ransomware group appears to have claimed responsibility for the attack.
“Given the recency of the incident, our investigation and response are ongoing, and the full scope, nature, and potential ultimate impact on the Company are not yet known,” explained DaVita in its 8K filing. While there is a growing trend of ransomware groups eschewing encryption, the majority steal sensitive data and use it as leverage to obtain a ransom payment. At this early stage of the investigation, DaVita is unable to confirm to what extent, if any, sensitive patient data was exposed or stolen.
This post will be updated when further information becomes available.
The post DaVita Ransomware Attack Affects More Than 1 Million Individuals appeared first on The HIPAA Journal.