Kidney dialysis company DaVita today confirmed it notified 915,952 people of an April 2 breach of its systems, and that the following info was swiped:
- Names
- Social Security numbers
- Health insurance info
- Medical info including conditions, treatments, and test results
- Tax ID numbers
- Images of checks made out to DaVita
- Dates of birth
- Addresses
The attack disrupted internal operations at DaVita, and the Interlock ransomware gang took credit for the attack.
Rebecca Moody, Head of Data Research at Comparitech had this comment:
“This attack on DaVita is one of the largest data breaches via ransomware this year so far. It’s the seventh largest overall, the third largest in the US, and the third largest on a healthcare provider. This highlights the far-reaching consequences these attacks have, particularly as ransomware gangs remain increasingly focused on stealing vast quantities of data.”
“Interlock, in particular, is notorious for its data theft claims. Across its 54 victims, it alleges to have stolen over 79.2 TB of data, with an average of nearly 1.5 TB per victim. This is higher than most other groups (in July 2025, for example, the average known data theft across all attacks by all groups was just over 475 GB). It was also responsible for the attacks on Texas Tech University Health Sciences Center in September 2024 where nearly 1.5 million people were affected, Brockton Neighborhood Health Center in November 2024 in which 97,488 people were affected, and, more recently, in May 2025, Texas Digestive Specialists (Gastroenterology Consultants of South Texas) in which 41,521 people were impacted.”
“Interlock was responsible for the disruptive attack on Kettering Health in May 2025, too. A data breach following this attack is yet to be confirmed, but in this attack, Interlock said it had stolen 941 GB in total.”
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 adds this comment:
“Certainly, something impacted patients need to be concerned about is scammers using the stolen information against them. That sort of thing happens all the time. For example, you could get a supposed (fraudulent) medical billing company calling a potential victim with all the right information (e.g., medical treatment, dates performed, names, addresses, dob, etc.) and then ask the potential victim for some made-up outstanding payment. Every data theft is new information that can be used by a scammer.”
Ensar Seker, CISO at SOCRadar followed up with this comment:
“This incident with DaVita is a sobering illustration of how ransomware campaigns continue to target healthcare’s most critical third-party providers. Operating more than 2,600 dialysis clinics nationwide, DaVita serves over 200,000 patients. In April they suffered a ransomware attack, later claimed by the Interlock ransomware gang, which reportedly exfiltrated and leaked terabytes of patient data including sensitive personal health and insurance information, Social Security numbers, and financial data, impacting nearly one million individuals.”
“While DaVita’s contingency plans have ensured patient treatment hasn’t been interrupted, the breach highlights a key truth: operational resilience doesn’t equate to data resilience. Encrypting systems may be recoverable, but exfiltration of personal health information brings long-term repercussions from identity theft and fraud to regulatory penalties and reputational damage.”
“This attack underscores several health sector realities: first, the growing threat from criminal groups targeting critical third-party providers, which can create widespread exposure across multiple healthcare entities. The strategy is calculated: by hitting one vendor, threat actors pressure dozens of connected institutions. Second, healthcare providers must assume data exfiltration is part of the ransomware playbook, not a secondary outcome. As this attack shows, even without disrupting clinical workflows, the long tail of exposed data damages remains severe.”
“For healthcare CISOs, it’s clear that traditional defenses alone aren’t enough. Continuous monitoring of not only local infrastructure but also vendor environments, encryption of both data at rest and in transit, and segmented access controls, even within SaaS platforms, are essential. In addition, patient communication and identity protection must be swift and transparent to preserve trust, regardless of operational impact.”
Two things jump out at me. First, health care is once again the low hanging fruit for threat actors. Second, 915,000 people are going to be really badly affected by every threat actor who means to do harm. This isn’t a good situation.
Related
This entry was posted on August 5, 2025 at 2:23 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Dialysis firm DaVita pwned by Interlock…. 915,000 affected
Kidney dialysis company DaVita today confirmed it notified 915,952 people of an April 2 breach of its systems, and that the following info was swiped:
The attack disrupted internal operations at DaVita, and the Interlock ransomware gang took credit for the attack.
Rebecca Moody, Head of Data Research at Comparitech had this comment:
“This attack on DaVita is one of the largest data breaches via ransomware this year so far. It’s the seventh largest overall, the third largest in the US, and the third largest on a healthcare provider. This highlights the far-reaching consequences these attacks have, particularly as ransomware gangs remain increasingly focused on stealing vast quantities of data.”
“Interlock, in particular, is notorious for its data theft claims. Across its 54 victims, it alleges to have stolen over 79.2 TB of data, with an average of nearly 1.5 TB per victim. This is higher than most other groups (in July 2025, for example, the average known data theft across all attacks by all groups was just over 475 GB). It was also responsible for the attacks on Texas Tech University Health Sciences Center in September 2024 where nearly 1.5 million people were affected, Brockton Neighborhood Health Center in November 2024 in which 97,488 people were affected, and, more recently, in May 2025, Texas Digestive Specialists (Gastroenterology Consultants of South Texas) in which 41,521 people were impacted.”
“Interlock was responsible for the disruptive attack on Kettering Health in May 2025, too. A data breach following this attack is yet to be confirmed, but in this attack, Interlock said it had stolen 941 GB in total.”
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 adds this comment:
“Certainly, something impacted patients need to be concerned about is scammers using the stolen information against them. That sort of thing happens all the time. For example, you could get a supposed (fraudulent) medical billing company calling a potential victim with all the right information (e.g., medical treatment, dates performed, names, addresses, dob, etc.) and then ask the potential victim for some made-up outstanding payment. Every data theft is new information that can be used by a scammer.”
Ensar Seker, CISO at SOCRadar followed up with this comment:
“This incident with DaVita is a sobering illustration of how ransomware campaigns continue to target healthcare’s most critical third-party providers. Operating more than 2,600 dialysis clinics nationwide, DaVita serves over 200,000 patients. In April they suffered a ransomware attack, later claimed by the Interlock ransomware gang, which reportedly exfiltrated and leaked terabytes of patient data including sensitive personal health and insurance information, Social Security numbers, and financial data, impacting nearly one million individuals.”
“While DaVita’s contingency plans have ensured patient treatment hasn’t been interrupted, the breach highlights a key truth: operational resilience doesn’t equate to data resilience. Encrypting systems may be recoverable, but exfiltration of personal health information brings long-term repercussions from identity theft and fraud to regulatory penalties and reputational damage.”
“This attack underscores several health sector realities: first, the growing threat from criminal groups targeting critical third-party providers, which can create widespread exposure across multiple healthcare entities. The strategy is calculated: by hitting one vendor, threat actors pressure dozens of connected institutions. Second, healthcare providers must assume data exfiltration is part of the ransomware playbook, not a secondary outcome. As this attack shows, even without disrupting clinical workflows, the long tail of exposed data damages remains severe.”
“For healthcare CISOs, it’s clear that traditional defenses alone aren’t enough. Continuous monitoring of not only local infrastructure but also vendor environments, encryption of both data at rest and in transit, and segmented access controls, even within SaaS platforms, are essential. In addition, patient communication and identity protection must be swift and transparent to preserve trust, regardless of operational impact.”
Two things jump out at me. First, health care is once again the low hanging fruit for threat actors. Second, 915,000 people are going to be really badly affected by every threat actor who means to do harm. This isn’t a good situation.
Share this:
Like this:
Related
This entry was posted on August 5, 2025 at 2:23 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.