DaVita, a leading US-based kidney dialysis provider, suffered a severe ransomware attack in **March 2025**, orchestrated by the **Interlock** gang. The breach compromised **2,689,826 patient records**, with hackers allegedly exfiltrating **1.51 TB of sensitive data**, including medical histories, treatment details, and personally identifiable information (PII). The attack disrupted critical healthcare operations, raising concerns over patient safety and data privacy compliance (e.g., HIPAA violations). While DaVita did not confirm whether a ransom was paid, the incident underscored vulnerabilities in third-party vendor integrations and legacy system protections. The breach’s scale—ranked among the **top 5 largest healthcare ransomware attacks of Q1-Q3 2025**—highlighted the escalating targeting of healthcare providers by cybercriminals exploiting high-value patient data for extortion. The prolonged recovery period further strained resources, with potential long-term reputational damage and regulatory penalties looming.
TPRM report: https://www.rankiteo.com/company/davita
"id": "dav5192551100925",
"linkid": "davita",
"type": "Ransomware",
"date": "3/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '5,445,866',
'industry': 'Healthcare',
'location': 'US',
'name': 'Episource',
'type': 'Healthcare Technology Company'},
{'customers_affected': '2,689,826',
'industry': 'Healthcare',
'location': 'US',
'name': 'DaVita',
'type': 'Kidney Dialysis Provider'},
{'customers_affected': '941,000',
'industry': 'Healthcare',
'location': 'Netherlands',
'name': 'Clinical Diagnostics (Eurofins)',
'type': 'Laboratory Testing Service'},
{'customers_affected': '934,326',
'industry': 'Healthcare',
'location': 'US',
'name': 'Frederick Health',
'type': 'Healthcare Provider'},
{'customers_affected': '456,385',
'industry': 'Healthcare',
'location': 'US',
'name': 'Goshen Medical Center',
'type': 'Healthcare Provider'},
{'customers_affected': '300,000',
'industry': 'Healthcare',
'location': 'Japan',
'name': 'Utsunomiya Central Clinic',
'type': 'Healthcare Provider'},
{'customers_affected': '247,000',
'industry': 'Healthcare',
'location': 'US',
'name': 'Medical Associates of Brevard',
'type': 'Healthcare Provider'},
{'customers_affected': '236,000',
'industry': 'Healthcare',
'location': 'US',
'name': 'Marlboro-Chesterfield Pathology',
'type': 'Healthcare Provider'},
{'customers_affected': '320,000',
'industry': 'Healthcare',
'location': 'Australia',
'name': 'Compumedics Limited',
'type': 'Healthcare Business (Medical Devices)'},
{'customers_affected': '241,000',
'industry': 'Healthcare',
'location': 'Ireland',
'name': 'Ocuco Limited',
'type': 'Healthcare Business (Eye Care Software)'},
{'industry': 'Healthcare',
'location': 'UK',
'name': 'HCRG Care Group',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'Taiwan',
'name': 'Mackay Memorial Hospital',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'US',
'name': 'Cookeville Regional Medical Center',
'type': 'Healthcare Provider'},
{'customers_affected': '500 (placeholder)',
'industry': 'Healthcare',
'location': 'US',
'name': 'SimonMed Imaging',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'Taiwan',
'name': 'Changhua Christian Hospital',
'type': 'Healthcare Provider'},
{'customers_affected': '5,600,000',
'industry': 'Healthcare',
'location': 'US',
'name': 'Ascension (2024 reference)',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'UK',
'name': 'Synnovis (2024 reference)',
'type': 'Healthcare Provider'}],
'attack_vector': ['Phishing',
'Exploiting Vulnerabilities',
'Third-Party Compromise',
'Supply Chain Attack'],
'customer_advisories': ['Episource: Notified 5.4M individuals; offered credit '
'monitoring.',
'DaVita: Notified 2.7M individuals; provided identity '
'theft protection.',
'Frederick Health: Notified ~1M patients; advised on '
'fraud prevention.',
'General: Affected individuals advised to freeze '
'credit, monitor accounts, and report suspicious '
'activity.'],
'data_breach': {'data_encryption': ['Yes (e.g., Goshen Medical Center, Mackay '
'Memorial Hospital)'],
'data_exfiltration': ['Yes (e.g., DaVita: 1.51 TB; Clinical '
'Diagnostics: 941K records)'],
'file_types_exposed': ['Medical images',
'Patient records',
'Billing data',
'HR files'],
'number_of_records_exposed': '13,472,042 (confirmed across '
'providers and businesses)',
'personally_identifiable_information': ['Names',
'Addresses',
'Social Security '
'Numbers',
'Medical History',
'Insurance Details'],
'sensitivity_of_data': ['High (medical records, PII)',
'Moderate (payment data)'],
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Medical Records',
'Payment Information',
'Employee Data',
'Operational Data']},
'date_detected': '2025-01-01',
'date_publicly_disclosed': '2025-10-01',
'description': 'In the first nine months of 2025, 293 ransomware attacks were '
'recorded on hospitals, clinics, and other direct care '
'providers, with an additional 130 attacks on healthcare '
'businesses (e.g., pharmaceutical manufacturers, medical '
'billing providers, and healthcare tech companies). Attacks on '
'healthcare providers declined quarterly since Q4 2024, while '
'attacks on healthcare businesses rose by 30% compared to '
'2024. Key trends include increased targeting of third-party '
'contractors, high-profile breaches (e.g., Ascension, '
'Synnovis), and evolving ransomware strains like INC, Qilin, '
'and Medusa. The US was the most targeted country (257 '
'attacks), followed by Australia, Germany, and the UK. Notable '
'breaches include Episource (5.4M records), DaVita (2.7M '
'records), and Clinical Diagnostics (941K records). Average '
'ransom demands were ~$514K (providers) and ~$532K '
'(businesses), with only one confirmed payment (Clinical '
'Diagnostics).',
'impact': {'brand_reputation_impact': ['High (due to high-profile breaches '
'like Ascension, Synnovis, and '
'Episource)'],
'data_compromised': '13,472,042 records (confirmed across '
'providers and businesses)',
'downtime': ['Cookeville Regional Medical Center: Several days '
'(July 2025)',
'Changhua Christian Hospital: ~2 days (March 2025)',
'Mackay Memorial Hospital: Not specified (February '
'2025)'],
'identity_theft_risk': ['High (PII and medical records exposed)'],
'legal_liabilities': ['Potential HIPAA violations (US), GDPR fines '
'(EU), and other regulatory penalties'],
'operational_impact': ['Technical outages (e.g., Cookeville '
'Regional Medical Center)',
'Delayed patient notifications (avg. 3.7 '
'months in the US)',
'Disruption of healthcare services (e.g., '
'dialysis, diagnostics)'],
'payment_information_risk': ['Moderate (e.g., medical billing '
'providers targeted)']},
'initial_access_broker': {'backdoors_established': ['Likely (e.g., Qilin, INC '
'groups known for '
'persistence)'],
'data_sold_on_dark_web': ['Yes (e.g., Qilin '
'auctioned Shamir Medical '
'Center data; Nova '
'threatened Clinical '
'Diagnostics)'],
'entry_point': ['Phishing emails',
'Exploited vulnerabilities in '
'third-party software',
'Compromised credentials',
'Supply chain attacks'],
'high_value_targets': ['Patient databases',
'Billing systems',
'Medical research data',
'Intellectual property '
'(e.g., pharmaceutical '
'manufacturers)']},
'investigation_status': 'Ongoing (some attacks from Q1-Q3 2025 still under '
'investigation; unconfirmed attacks may be updated)',
'lessons_learned': ['Third-party vendors are increasingly targeted as entry '
'points to larger networks.',
'Delayed breach disclosure (avg. 3.7 months in the US) '
'highlights need for faster reporting.',
'Ransomware gangs like Qilin and INC are evolving '
'tactics, demanding higher ransoms and exfiltrating more '
'data.',
'Healthcare providers improving defenses (e.g., backups, '
'training) may be shifting attacks to less-prepared '
'businesses.',
'Cross-border attacks (e.g., Qilin targeting Israel’s '
'Shamir Medical Center) require international '
'coordination.'],
'motivation': ['Financial Gain', 'Data Theft', 'Disruption of Services'],
'post_incident_analysis': {'corrective_actions': ['Mandate third-party '
'security assessments for '
'all vendors.',
'Deploy endpoint detection '
'and response (EDR) tools '
'across healthcare '
'networks.',
'Implement immutable '
'backups with offline '
'storage to prevent '
'ransomware encryption.',
'Establish cross-sector '
'threat intelligence '
'sharing (e.g., H-ISAC).',
'Enforce multi-factor '
'authentication (MFA) for '
'all remote access and '
'privileged accounts.',
'Conduct regular red team '
'exercises to test incident '
'response plans.'],
'root_causes': ['Inadequate third-party vendor '
'security (e.g., Episource, '
'Ocuco).',
'Delayed patching of known '
'vulnerabilities (e.g., exploited '
'by Interlock, Nova).',
'Lack of network segmentation '
'allowing lateral movement (e.g., '
'DaVita, Synnovis).',
'Insufficient employee training on '
'phishing/social engineering.',
'Over-reliance on legacy systems '
'without modern security '
'controls.']},
'ransomware': {'data_encryption': ['Yes (most confirmed attacks)'],
'data_exfiltration': ['Yes (e.g., DaVita: 1.51 TB; Clinical '
'Diagnostics: 941K records)'],
'ransom_demanded': ['$2M (HCRG Care Group, Medusa)',
'$1.5M (Mackay Memorial Hospital, Crazy '
'Hunter)',
'$1.15M (Cookeville Regional Medical '
'Center, Rhysida)',
'$1M (SimonMed Imaging, Medusa)',
'$800K (Changhua Christian Hospital, Crazy '
'Hunter)',
'$700K (Shamir Medical Center, Qilin)',
'$50M (Synnovis 2024, Qilin)',
'Average: $514K (providers), $532K '
'(businesses)'],
'ransom_paid': ['$1.1M (Clinical Diagnostics, Nova)'],
'ransomware_strain': ['INC (39 claims; 15 confirmed)',
'Qilin (34 claims; 14 confirmed)',
'SafePay (21 claims)',
'RansomHub (13 claims; 6 confirmed)',
'Medusa (13 claims; 8 confirmed)',
'KillSec (12 claims; 2 confirmed)',
'Akira (10 claims; 2 confirmed)',
'BianLian (5 claims; 5 confirmed)',
'Interlock (4 claims; 4 confirmed)',
'Nova (2 claims; 1 confirmed)',
'Crazy Hunter (2 claims)',
'Rhysida (1 claim)',
'Van Helsing (1 claim)']},
'recommendations': ['Enhance third-party risk management (e.g., vendor '
'security audits).',
'Implement zero-trust architecture and network '
'segmentation to limit lateral movement.',
'Accelerate patch management for known vulnerabilities '
'exploited by ransomware groups.',
'Conduct regular tabletop exercises for ransomware '
'response.',
'Improve transparency in breach reporting to reduce '
'delays in public notification.',
'Invest in adaptive behavioral WAFs and real-time '
'monitoring for early detection.',
'Develop clear policies on ransom payment (e.g., legal, '
'ethical, and operational considerations).',
'Strengthen data encryption for sensitive records (e.g., '
'PII, medical data).'],
'references': [{'date_accessed': '2025-10-01',
'source': 'Worldwide Ransomware Tracker (Q1-Q3 2025)',
'url': 'https://example.com/ransomware-tracker'},
{'date_accessed': '2025-10-01',
'source': 'HHS OCR Data Breach Tool',
'url': 'https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf'},
{'date_accessed': '2025-09-30',
'source': 'Episource Breach Notification',
'url': 'https://example.com/episource-breach'},
{'date_accessed': '2025-03-15',
'source': 'DaVita Breach Disclosure',
'url': 'https://example.com/davita-breach'},
{'date_accessed': '2025-07-20',
'source': 'Clinical Diagnostics (Eurofins) Ransomware '
'Incident',
'url': 'https://example.com/eurofins-breach'}],
'regulatory_compliance': {'legal_actions': ['HCRG Care Group issued '
'injunction against Medusa'],
'regulations_violated': ['HIPAA (US)',
'GDPR (EU)',
'Local data protection '
'laws (e.g., Australia, '
'Taiwan)'],
'regulatory_notifications': ['Mandatory in the US '
'(HHS OCR), EU (GDPR), '
'and other regulated '
'regions']},
'response': {'communication_strategy': ['Delayed public disclosure (avg. 3.7 '
'months in the US)',
'Direct notifications to affected '
'individuals (e.g., Episource, '
'DaVita)',
'Regulatory filings (e.g., HHS OCR in '
'the US)'],
'containment_measures': ['System isolation (e.g., SimonMed '
'interrupted hackers)',
'Backup restoration (assumed for '
'providers with backups)',
'Network segmentation (likely for some '
'entities)'],
'enhanced_monitoring': ['Assumed for high-risk entities (e.g., '
'ransomware targets)'],
'incident_response_plan_activated': ['Yes (for confirmed '
'attacks, e.g., Clinical '
'Diagnostics, HCRG Care '
'Group)'],
'law_enforcement_notified': ['Yes (e.g., Clinical Diagnostics '
'involved police; general practice '
'in regulated regions)'],
'network_segmentation': ['Likely implemented post-breach for '
'some entities'],
'recovery_measures': ['Technical outage recovery (e.g., '
'Cookeville Regional Medical Center)',
'Data restoration from backups (where '
'available)',
'Public communications (e.g., breach '
'notifications, press releases)'],
'remediation_measures': ['Patch management (e.g., healthcare '
'providers updating systems post-2024 '
'attacks)',
'Employee training (e.g., cybersecurity '
'awareness programs)',
'Data breach notifications (e.g., '
'Episource, DaVita, Frederick Health)'],
'third_party_assistance': ['Cybersecurity firms (unspecified)',
'Legal teams (e.g., HCRG Care Group '
'issued injunction against Medusa)']},
'stakeholder_advisories': ['Healthcare providers: Review third-party vendor '
'security postures.',
'Regulators: Monitor compliance with breach '
'notification timelines.',
'Cybersecurity firms: Share threat intelligence on '
'emerging ransomware strains (e.g., INC, Qilin).',
'Patients: Monitor credit reports and medical '
'records for signs of identity theft.'],
'threat_actor': ['INC Ransomware',
'Qilin Ransomware',
'Medusa Ransomware',
'RansomHub',
'BianLian',
'KillSec',
'Akira',
'SafePay',
'Interlock',
'Nova',
'Crazy Hunter',
'Rhysida',
'Van Helsing'],
'title': 'Ransomware Attacks on Healthcare Sector in Q1-Q3 2025',
'type': ['Ransomware', 'Data Breach']}