Kidney dialysis giant DaVita has confirmed that a ransomware attack compromised the personal and health information of nearly 2.7 million individuals. The breach, carried out by the Interlock ransomware group, impacted sensitive data stored in DaVita’s dialysis labs database, including patient names, Social Security numbers, treatment histories, and insurance details. In some cases, tax identification numbers and images of personal checks were also stolen.
Source: wikipedia.org.
The breach occurred between March 24 and April 12, when attackers infiltrated and partially encrypted DaVita’s network before being detected and expelled. Initial reports to the U.S. Department of Health and Human Services indicated nearly 2.7 million victims, although internal counts reportedly place the number closer to 2.4 million.
Interlock claimed responsibility for the breach in late April, alleging they had exfiltrated roughly 1.5 terabytes of data—nearly 700,000 files. After ransom negotiations failed, the gang leaked the stolen data on its dark web site. DaVita later confirmed the authenticity of the leaked files, which included highly sensitive medical and financial records. Despite this, DaVita has not publicly confirmed whether a ransom was demanded or paid.
Last month, the Cybersecurity and Infrastructure Agency (CISA) issued a security brief with the following mitigation tips:
Source: cisa.gov.
The ransomware group, active since late 2024, has a growing track record of targeting healthcare providers. It has previously deployed NodeSnake malware in attacks against academic and medical institutions, including Kettering Health in the U.S. and several UK universities.
The DaVita breach is a stark reminder that healthcare organizations remain high-value targets for ransomware gangs. Security teams must take proactive steps: implement rigorous segmentation and monitoring of sensitive databases, conduct regular incident response simulations, and invest in continuous threat intelligence to detect and block emerging tools like NodeSnake. Most critically, healthcare providers should prioritize rapid detection and containment capabilities—especially during off-hours—when attackers often strike. For any organization managing protected health information, visibility and response agility are the front lines of patient data defense.
