In April 2025, dialysis provider DaVita disclosed a cyberattack in an SEC filing, noting that parts of its network had been encrypted. At the time, the scope of the data breach was unclear. Over the following months, state Attorneys General began releasing reports confirming that over 1 million individuals had been affected. The Interlock ransomware group has since claimed responsibility, stating it exfiltrated more than 20 terabytes of data from DaVita’s systems.
The company said the attack was detected and contained on April 12, 2025. DaVita engaged forensic experts to assist with remediation and launched an ongoing investigation to determine what data was accessed. As of June 2025, the types of compromised data had been identified, including demographic details, clinical information, and in limited cases, tax and payment data.
Going deeper
DaVita operates over 2,600 outpatient centers across 43 states, making the full scope of the breach potentially much larger than currently confirmed. So far, Oregon alone has reported over 900,000 residents affected. Other confirmed states include Texas, Washington, South Carolina, and Massachusetts.
The Interlock ransomware group claims it attempted ransom negotiations with DaVita and, after failing, listed stolen data for sale. A portion, over 1.5 TB, has already been leaked. The group claims to possess more than 200 million rows of patient data. While DaVita has not confirmed the ransom demand or payment, it has stated that it is unaware of any misuse of patient information to date. The company is offering 12 to 24 months of free identity theft protection to affected individuals.
DaVita said the attack primarily targeted its laboratory servers. The breach window lasted from March 24 to April 12, during which time unauthorized access occurred and data was exfiltrated. Class action lawsuits have already been filed by individuals alleging misuse of their data, although DaVita has yet to confirm whether these specific individuals were affected.
DaVita acknowledged the Interlock group’s claims but has not confirmed whether ransom negotiations occurred. The company has committed to notifying impacted individuals and vendors as the investigation progresses. Third-party cybersecurity professionals and law enforcement are involved in the ongoing response.
According to SecurityWeek, Rebecca Moody, head of data research at Comparitech, called the DaVita ransomware incident “one of the largest data breaches via ransomware this year so far.” She noted it ranks as “the seventh largest overall, the third largest in the US, and the third largest on a healthcare provider.” Moody added that Interlock, the group behind the attack, claims to have stolen over 79.2 TB of data from 54 victims, “An average of nearly 1.5 TB per victim,” which she said is higher than most other groups.
Interlock is a ransomware group that emerged publicly in October 2024. It has claimed at least 13 confirmed healthcare-related attacks and is known for leaking stolen data if ransom demands aren’t met.
Not all states publicly report data breach details. This can make it difficult to assess the full scope of a breach unless the company or federal agencies provide complete data.
The OCR portal publicly tracks HIPAA-related breaches. Once DaVita’s breach is listed, it will provide an official tally of affected individuals and help guide regulatory oversight.
DaVita is providing 12 to 24 months of free access to Experian IdentityWorks, which includes credit monitoring and identity theft protection.
Yes. As more individuals learn they were affected, additional lawsuits may be filed. These cases may influence how data breach responsibility and restitution are handled across the healthcare industry.