Kidney dialysis provider DaVita has confirmed that a ransomware attack led to the theft of personal and health information belonging to nearly 2.7 million individuals.
DaVita operates over 3,100 outpatient dialysis centers worldwide, including 2,660 in the United States, serving more than 265,000 patients. The company reported $12 billion in revenue for 2024 and $3.3 billion for the second quarter of 2025.
The breach was first disclosed in April when DaVita reported to the U.S. Securities and Exchange Commission that attackers had partially encrypted its network, disrupting operations. According to a notice on the company’s dedicated breach website, the hackers gained access to its systems on March 24 and remained inside until April 12, when the intrusion was detected.
During that time, the attackers exfiltrated data from DaVita’s dialysis labs database. The stolen files contained names, addresses, dates of birth, Social Security numbers, health insurance details, and treatment information, including dialysis lab test results. For some patients, tax identification numbers and even images of personal checks were also compromised.
The U.S. Department of Health’s Office for Civil Rights has now confirmed the scope of the breach, reporting that data belonging to 2,689,826 people was stolen.
While DaVita has not officially attributed the attack to a specific ransomware group, the Interlock gang claimed responsibility in April. After failed negotiations, the group published stolen files on its dark web portal, claiming it had taken roughly 1.5 terabytes of data, including nearly 700,000 sensitive patient records, insurance information, and financial details.
On June 18, DaVita confirmed that some of the leaked files were authentic and traced them back to its dialysis labs. The company has not yet issued an updated public statement on the breach.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The Interlock ransomware group, which first appeared in September 2024, has a history of targeting healthcare providers. It has also been linked to ClickFix and NodeSnake malware attacks on universities in the UK. More recently, the group claimed responsibility for breaching Kettering Health, a major U.S. healthcare system.
