US-based kidney dialysis provider DaVita has confirmed that sensitive personal and clinical data was stolen from its systems, impacting over 900,000 customers.
The incident, which is reportedly ransomware-related, began on March 24, 2025, and continued until the threat actor was blocked from DaVita servers on April 12.
An investigation revealed that the attacker accessed and removed data from the company’s dialysis labs database.
In a notification letter sent to impacted customers on August 5, the healthcare firm revealed that this data included:
- Personally identifiable information, including names, dates of birth, social security numbers and health insurance-related information
- Clinical information, such as health conditions, other treatment details and certain dialysis lab test results
- For some individuals, tax identification numbers and in limited cases, images of checks written to DaVita were accessed
The information involved varied by individual.
DaVita has disclosed that a total of 915,952 US residents have been notified of the breach.
Impacted customers have been urged to be vigilant against identity theft and fraud, and DaVita has offered them free credit monitoring services.
DaVita Incident Increases Patient Care Costs
In DaVita’s second quarter 2025 financial results, published on August 5, the company revealed the April cyber-attack cost approximately $13.5m to remediate the incident and restore systems with the assistance of third-party cybersecurity professionals.
Patient care costs increased by $1m, and general and administrative expenses rose by $12.5m as a direct result of the incident, DaVita noted.
“This does not include the impact related to business interruption on our results,” the company added.
Interlock Gang Claims Responsibility
In April, the Interlock ransomware group claimed the attack on DaVita, adding the firm as a victim on its data leak site.
It alleged to have stolen 1.5 TB of data, and posted images of part of the dataset to prove its claim, according to an analysis by consumer awareness firm Comparitech.
Read now: US Government Warns of Wide-Ranging Interlock Attacks
DaVita has not provided any details on the perpetrator, including whether the incident was ransomware related.
In July, Comparitech reported that ransomware attacks on the healthcare industry have grown at a far slower rate than most other sectors in the first half of 2025. This followed a huge surge in ransomware incidents impacting healthcare in 2024.
Nevertheless, numerous high profile incidents affecting healthcare firms have taken place in 2025. One affected Ohio-based Kettering Health, which resulted the cancellation of elective inpatient and outpatient procedures across its 14 hospitals and over 120 facilities.
