The IT Nerd

Kidney dialysis company DaVita today confirmed it notified 915,952 people of an April 2 breach of its systems, and that the following info was swiped:

• Names
• Social Security numbers
• Health insurance info
• Medical info including conditions, treatments, and test results
• Tax ID numbers
• Images of checks made out to DaVita
• Dates of birth
• Addresses

The attack disrupted internal operations at DaVita, and the Interlock ransomware gang took credit for the attack.

Rebecca Moody, Head of Data Research at Comparitech had this comment: 

“This attack on DaVita is one of the largest data breaches via ransomware this year so far. It’s the seventh largest overall, the third largest in the US, and the third largest on a healthcare provider. This highlights the far-reaching consequences these attacks have, particularly as ransomware gangs remain increasingly focused on stealing vast quantities of data.”

“Interlock, in particular, is notorious for its data theft claims. Across its 54 victims, it alleges to have stolen over 79.2 TB of data, with an average of nearly 1.5 TB per victim. This is higher than most other groups (in July 2025, for example, the average known data theft across all attacks by all groups was just over 475 GB). It was also responsible for the attacks on Texas Tech University Health Sciences Center in September 2024 where nearly 1.5 million people were affected, Brockton Neighborhood Health Center in November 2024 in which 97,488 people were affected, and, more recently, in May 2025, Texas Digestive Specialists (Gastroenterology Consultants of South Texas) in which 41,521 people were impacted.”

“Interlock was responsible for the disruptive attack on Kettering Health in May 2025, too. A data breach following this attack is yet to be confirmed, but in this attack, Interlock said it had stolen 941 GB in total.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 adds this comment:

“Certainly, something impacted patients need to be concerned about is scammers using the stolen information against them. That sort of thing happens all the time. For example, you could get a supposed (fraudulent) medical billing company calling a potential victim with all the right information (e.g., medical treatment, dates performed, names, addresses, dob, etc.) and then ask the potential victim for some made-up outstanding payment. Every data theft is new information that can be used by a scammer.”

Ensar Seker, CISO at SOCRadar followed up with this comment:

“This incident with DaVita is a sobering illustration of how ransomware campaigns continue to target healthcare’s most critical third-party providers. Operating more than 2,600 dialysis clinics nationwide, DaVita serves over 200,000 patients. In April they suffered a ransomware attack, later claimed by the Interlock ransomware gang, which reportedly exfiltrated and leaked terabytes of patient data including sensitive personal health and insurance information, Social Security numbers, and financial data, impacting nearly one million individuals.”

“While DaVita’s contingency plans have ensured patient treatment hasn’t been interrupted, the breach highlights a key truth: operational resilience doesn’t equate to data resilience. Encrypting systems may be recoverable, but exfiltration of personal health information brings long-term repercussions from identity theft and fraud to regulatory penalties and reputational damage.”

“This attack underscores several health sector realities: first, the growing threat from criminal groups targeting critical third-party providers, which can create widespread exposure across multiple healthcare entities. The strategy is calculated: by hitting one vendor, threat actors pressure dozens of connected institutions. Second, healthcare providers must assume data exfiltration is part of the ransomware playbook, not a secondary outcome. As this attack shows, even without disrupting clinical workflows, the long tail of exposed data damages remains severe.”

“For healthcare CISOs, it’s clear that traditional defenses alone aren’t enough. Continuous monitoring of not only local infrastructure but also vendor environments, encryption of both data at rest and in transit, and segmented access controls, even within SaaS platforms, are essential. In addition, patient communication and identity protection must be swift and transparent to preserve trust, regardless of operational impact.”

Two things jump out at me. First, health care is once again the low hanging fruit for threat actors. Second, 915,000 people are going to be really badly affected by every threat actor who means to do harm. This isn’t a good situation.

On February 25th, 2024, a sophisticated ransomware attack struck the City of Hamilton, crippling roughly 80 percent of its network. This included business licensing, property-tax processing, and transit-planning systems. Cybercriminals proceeded to demand an $18.5 million ransom that the city refused to pay.

In April 2025, a new and interesting facet to this story emerged–Hamilton’s insurer denied the city’s insurance claim, citing the absence of fully implemented MFA at the time of the breach. 

In an analysis published today, Specops Sofware experts have dived into what happened in this attack, why Hamilton’s cyber insurance claim was denied, and how organizations should align cyber insurance with cybersecurity posture. 

David Ketler, Specops Software Cybersecurity Specialist commented:

“This incident isn’t unusual in the tools or escalation chain that led to the encryption of internal systems, but what is unusual is the refusal of insurance coverage due to MFA not being implemented. This goes to show that the cost of not implementing MFA is not just a nebulous security risk, but also a real financial one. There’s now precedent where an insurance claim has been denied due to poor authentication controls.

For full details, the analysis can be found at this link.