The Interlock ransomware gang has taken credit for the dialysis company DaVita ransomware attack and leaked the allegedly stolen data as proof.
With an annual revenue of over $12.8 billion, the Fortune 500 company operates over 2,600 dialysis centers across the United States and more than 3,000 worldwide and employs over 75,000 workers. The company serves over 200,000 patients at its outpatient and home care clinics across the United States.
On April 12, 2025, DaVita notified the U.S. Securities and Exchange Commission (SEC) in a regulatory filing that it was the victim of a “ransomware incident that has encrypted certain elements of our network” on the same day.
Dialysis company’s operations impacted by a ransomware attack
The Denver, Colorado-based dialysis company responded by activating its incident response protocols and applying containment measures, including isolating some impacted systems.
Despite DaVita implementing contingency plans to minimize disruption, certain operations still experienced interruptions. The dialysis company could also anticipate when it would fully restore the impacted systems.
“We have implemented our contingency plans, and we continue to provide patient care,” the dialysis company stated. “However, the incident is impacting some of our operations, and while we have implemented interim measures to allow for the restoration of certain functions, we cannot estimate the duration or extent of the disruption at this time.”
Investigation is also ongoing to determine the full breadth and scope of the ransomware attack, including the type of patient data potentially exposed. The material impact of the ransomware attack also remained undermined, and the company has not attributed the attack to any cybercrime group. The company has also not disclosed the attack vector exploited.
“Sadly, it’s another ransomware case, another data leak,” lamented James McQuiggan, Security Awareness Advocate at KnowBe4. “The mechanics haven’t changed much: initial access, privilege escalation, exfiltration, extortion. Rinse. Lather. Repeat.”
“What’s still missing in many organizations is the alignment across people, processes, and technology. Cybercriminals rely on simple vectors like phishing or weak external access with unpatched systems or credential stuffing.,” added McQuiggan.
Interlock takes credit for the DaVita ransomware attack
Meanwhile, the Interlock ransomware gang has claimed responsibility for the DaVita ransomware attack and published stolen files on its data leak site.
The relatively new ransomware gang claims it exfiltrated over 1.5 terabytes of data from approximately 700,000 files containing sensitive patient records, user account information, insurance, and financial information.
The release of the allegedly stolen files suggests that the dialysis company refused to pay the ransom, which typically does not guarantee that the threat actor will not sell or misuse the stolen information.
Nonetheless, the exposure of sensitive health information has serious consequences for the impacted victims, and the affected company might face serious regulatory actions and lawsuits.
Multiple healthcare organizations targeted
Healthcare organizations are prime targets for cyberattacks by ransomware gangs that prioritize profits over human life. According to a Sophos State of Ransomware in Healthcare 2024 report, two-thirds of healthcare organizations were hit by a ransomware attack, up from 60% a year ago, while just over a third (34%) experienced ransomware attacks in 2021.
In January 2025, the New York Blood Center (NYBC) was the victim of a ransomware attack that resulted in the disruption of operations amid ongoing blood shortages.
In July 2024, blood center OneBlood also suffered a ransomware attack that prompted 250 hospitals to activate their critical blood shortage protocols.
Other recent healthcare victims of ransomware attacks include Bell Ambulance of Milwaukee, which the Medusa ransomware gang claims to have breached. The Alabama Ophthalmology Associates also suffered a ransomware attack, which leaked sensitive patient information, including Social Security numbers, medical information, and health insurance information.
Another dialysis company, Fresenius Medical Care, suffered a cyber attack in 2023 that leaked the sensitive medical records of 500,000 patients.
Insurance giant UnitedHealth Group also suffered one of the largest healthcare cyberattacks, exposing sensitive data of 100 million people, including DaVita customers.
