US-based kidney dialysis provider DaVita confirmed a ransomware attack that resulted in the theft of sensitive personal and clinical data, impacting over 900,000 customers. The incident, which began on March 24, 2025, and was contained by April 12, involved the exfiltration of personally identifiable information, including names, dates of birth, social security numbers, health insurance details, and clinical data such as health conditions and dialysis lab results. The breach also exposed tax identification numbers and images of checks for some individuals. DaVita incurred significant costs, including $13.5 million for remediation and system restoration, with additional increases in patient care and administrative expenses. The Interlock ransomware group claimed responsibility, alleging the theft of 1.5 TB of data.
Source: https://www.infosecurity-magazine.com/news/clinical-data-stolen-kidney/
TPRM report: https://www.rankiteo.com/company/davita
"id": "dav357080725",
"linkid": "davita",
"type": "Ransomware",
"date": "3/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '915,952',
'industry': 'Healthcare',
'location': 'US',
'name': 'DaVita',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Notification letters sent to impacted customers',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '915,952',
'personally_identifiable_information': 'Names, dates of '
'birth, social '
'security numbers, '
'health '
'insurance-related '
'information',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally identifiable '
'information',
'Clinical information',
'Tax identification numbers',
'Images of checks']},
'date_detected': '2025-03-24',
'date_publicly_disclosed': '2025-08-05',
'date_resolved': '2025-04-12',
'description': 'US-based kidney dialysis provider DaVita confirmed that '
'sensitive personal and clinical data was stolen from its '
'systems, impacting over 900,000 customers. The incident was '
'ransomware-related and involved the Interlock ransomware '
'group.',
'impact': {'brand_reputation_impact': 'Potential negative impact due to data '
'breach',
'data_compromised': 'Yes',
'financial_loss': '$13.5 million',
'identity_theft_risk': 'High',
'operational_impact': 'Increased patient care costs by $1m, '
'general and administrative expenses rose by '
'$12.5m',
'payment_information_risk': 'Limited cases of images of checks '
'written to DaVita were accessed',
'systems_affected': 'Dialysis labs database'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain, data theft',
'ransomware': {'data_exfiltration': '1.5 TB of data',
'ransomware_strain': 'Interlock'},
'recommendations': 'Customers urged to be vigilant against identity theft and '
'fraud; free credit monitoring services offered',
'references': [{'source': 'Comparitech'}],
'response': {'communication_strategy': 'Notification letters to impacted '
'customers',
'containment_measures': 'Blocked threat actor from servers',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Restored systems with third-party '
'cybersecurity professionals',
'third_party_assistance': 'Yes'},
'threat_actor': 'Interlock ransomware group',
'title': 'DaVita Data Breach',
'type': 'Data Breach, Ransomware'}