DaVita, a Denver-based kidney dialysis provider serving ~200,000 patients globally, suffered a **ransomware attack** in **March–April 2025** by the **Interlock gang**. The breach exposed **personal and medical data of ~916,000 individuals**, including **names, Social Security numbers, dates of birth, health insurance details, medical records, tax IDs, addresses, and check images**. The attackers claimed to have stolen **1.5TB of data**, disrupting internal operations—particularly in laboratories—and threatened to leak or sell the files. While DaVita offered free identity restoration via Experian, it did not confirm ransom payment or the initial attack vector. The incident ranks as the **second-largest U.S. healthcare ransomware breach of 2025** by records compromised, highlighting systemic vulnerabilities in healthcare cybersecurity.
Source: https://www.foxnews.com/tech/nearly-million-patients-hit-davita-dialysis-ransomware-attack
TPRM report: https://www.rankiteo.com/company/davita
"id": "dav838081725",
"linkid": "davita",
"type": "Ransomware",
"date": "3/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '916,000 individuals',
'industry': 'Healthcare',
'location': {'headquarters': 'Denver, Colorado, USA',
'operations': ['USA',
'13 other countries']},
'name': 'DaVita Inc.',
'size': {'employees': None,
'patients_served': '~200,000',
'revenue': None},
'type': 'Healthcare Provider (Dialysis Services)'}],
'customer_advisories': ['Free Identity Restoration Services (Experian) with '
'enrollment deadline: 2025-11-28',
'Recommendations for Affected Individuals (e.g., '
'credit monitoring, password changes)'],
'data_breach': {'data_encryption': 'Yes (Ransomware Encryption)',
'data_exfiltration': 'Yes (1.5TB claimed by Interlock)',
'file_types_exposed': ['Patient Records',
'Financial Documents (Check Images)',
'Health Insurance Files',
'Tax Documents'],
'number_of_records_exposed': '916,000',
'personally_identifiable_information': ['Names',
'SSNs',
'Dates of Birth',
'Addresses',
'Tax ID Numbers'],
'sensitivity_of_data': 'High (SSNs, medical records, '
'financial data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Financial Information']},
'date_detected': '2025-03-24',
'date_publicly_disclosed': '2025-04-25',
'description': 'Kidney dialysis provider DaVita suffered a ransomware attack '
'in April 2025, exposing the personal and medical information '
'of nearly 916,000 individuals. The breach, attributed to the '
'Interlock ransomware gang, compromised sensitive data '
'including names, Social Security numbers, health insurance '
'details, medical records, and financial information. The '
'attack disrupted internal operations, particularly affecting '
"DaVita's laboratories. Interlock claimed to have exfiltrated "
'1.5TB of data and threatened to sell or release the files '
'publicly. DaVita offered free identity restoration services '
'to victims but did not confirm whether a ransom was paid or '
'how attackers initially gained access.',
'impact': {'brand_reputation_impact': 'High (Second-largest U.S. healthcare '
'ransomware breach in 2025 by record '
'count; potential loss of patient '
'trust)',
'data_compromised': ['Names',
'Social Security Numbers (SSNs)',
'Dates of Birth',
'Health Insurance Details',
'Medical Records',
'Tax ID Numbers',
'Addresses',
'Images of Checks (Financial Information)'],
'downtime': {'duration': '19 days (approx.)',
'end': '2025-04-12',
'start': '2025-03-24'},
'identity_theft_risk': 'High (SSNs, financial, and medical data '
'exposed)',
'operational_impact': ['Disruption of Internal Operations',
'Laboratory Service Interruptions',
'Potential Delays in Patient Care '
'(unconfirmed)'],
'payment_information_risk': 'Moderate (Images of checks '
'compromised)',
'systems_affected': ['Internal Operations', 'Laboratories']},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened (by Interlock)',
'high_value_targets': ['Patient Databases',
'Financial Records',
'Laboratory Systems']},
'investigation_status': 'Ongoing (as of report date)',
'motivation': ['Financial Gain (Ransom)',
'Data Theft for Extortion/Sale on Dark Web'],
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (1.5TB claimed)',
'ransom_paid': 'Unconfirmed',
'ransomware_strain': 'Interlock'},
'recommendations': ['Implement Stronger Access Controls (MFA, Password '
'Policies)',
'Enhance Network Segmentation (Especially for '
'Laboratories)',
'Regular Security Audits and Penetration Testing',
'Employee Cybersecurity Training (Phishing Awareness)',
'Incident Response Plan Updates',
'Dark Web Monitoring for Stolen Data'],
'references': [{'source': 'Comparitech'},
{'source': 'CyberGuy.com (Fox News)',
'url': 'https://www.cyberguy.com/'},
{'source': 'DaVita State Filings (Public Disclosure)'},
{'source': 'Interlock Ransomware Gang Leak Site'}],
'regulatory_compliance': {'regulatory_notifications': ['State Filings (USA)']},
'response': {'communication_strategy': ['State Filings (Public Disclosure)',
'Victim Notification Letters '
'(Enrollment Deadline: 2025-11-28)',
'No Response to Media Inquiries (as '
'of report)'],
'incident_response_plan_activated': 'Yes (Implied by containment '
'and victim notification)',
'remediation_measures': ['Free Identity Restoration Services for '
'Victims (Experian)'],
'third_party_assistance': ['Experian (Identity Restoration '
'Services)']},
'threat_actor': 'Interlock Ransomware Gang',
'title': 'DaVita Ransomware Attack and Data Breach (2025)',
'type': ['Ransomware Attack', 'Data Breach']}