DaVita Ransomware Attack Affects 2.7 Million Individuals
The HIPAA Guide previously reported that the ransomware attack on DaVita had affected more than 1 million individuals, based on breach reports submitted to state attorneys general. The HHS’ Office for Civil Rights data breach portal now shows the data breach, indicating the protected health information of 2,689,826 individuals was potentially stolen, making this one of the largest healthcare data breaches reported this year.
The ransomware attack was detected by DaVita on April 12, 2025; however, the Interlock ransomware group first gained access to its network on March 24, 2025. Data was exfiltrated from the network and was added to the Interlock data leak site when the ransom was not paid. Since sensitive data has been stolen and leaked on the dark web, individuals receiving a notice in the mail should ensure that they sign up for the complimentary credit monitoring and identity theft protection services being offered. They should also carefully check their accounts for any signs of data misuse.
“As the sophistication of cyber incidents increases, we remain vigilant, continue to work with authorities and external experts, and enhance both education of our workforce and data security protocols to adapt to this increased sophistication,” explained DaVita in the substitute data breach notice published on its website.
August 6, 2025: DaVita Ransomware Attack: At Least 1.03 Million Individuals Affected
The kidney dialysis company DaVita fell victim to a cyberattack in April and has started notifying the individuals whose data was compromised in the incident. Based on the reports submitted to state attorneys general so far, at least 1,030,495 individuals are known to have been affected, although the actual total is likely to be substantially higher.
DaVita operates outpatient dialysis centers in 43 states, and only five states have publicly disclosed how many individuals have been affected. The worst-affected state, based on current reporting, is Oregon, where 915,952 individuals are known to have been affected. In Texas, 81,740 state residents have been affected, along with 13,404 in Washington state, 11,570 in South Carolina, and 7,829 in Massachusetts.
The HHS’ Office for Civil Rights (OCR) maintains a publicly accessible list of healthcare data breaches, but the incident is not currently listed. The only listings for DaVita are a 67,443-record data breach in 2024 due to the use of website tracking technologies, a 1,092-record hacking incident in 2022, and a laptop theft in 2013 that affected 11,500 individuals. Given that state attorneys general have started publishing breach reports, OCR is expected to add DaVita to its data breach portal in the coming days.
The DaVita ransomware attack was first disclosed in a filing with the U.S. Securities and Exchange Commission (SEC) in mid-April this year, and by the end of the month, a threat actor had claimed responsibility for the attack – The Interlock ransomware group. Interlock claimed to have stolen more than 20 TB of databases and threatened to sell 1.5 TB of the stolen data if the ransom was not paid. The Interlock data leak site still lists DaVita, indicating the ransom was not paid.
In the notification letters to state attorneys general, DaVita did not mention ransomware. The attack was detected on April 12, 2025, and was blocked the same day. The forensic investigation confirmed that its network was first breached on March 24, 2025. The compromised servers were primarily located in its laboratories, and the dialysis labs database was compromised.
The data review was completed on or around June 18, 2025, when it was confirmed that the exposed (and potentially stolen) data includes names, addresses, birth dates, Social Security numbers, health insurance information, internal DaVita identifiers, health conditions, treatment information, dialysis test results, and for some individuals, tax identification numbers, and a limited number of images of checks written to DaVita.
Individual notification letters are now being mailed, and complimentary credit monitoring and identity theft resolution services are being offered. DaVita has also confirmed that it has implemented additional security and monitoring tools to prevent similar incidents in the future.
