DaVita Hit by Ransomware, Interlock Gang Takes Credit
DaVita, a Fortune 500 kidney care provider with operations in 12 countries, has confirmed a cyberattack that impacted parts of its infrastructure. The company disclosed the ransomware incident in an April 12 filing with the U.S. Securities and Exchange Commission (SEC), stating that an investigation was underway to determine the scope of the breach.
Earlier today, the Interlock ransomware gang publicly claimed responsibility for the attack by listing DaVita on its data leak site (DLS) on the dark web.
1.5 Terabytes of Allegedly Stolen Data Leaked
According to the threat actor’s post, they exfiltrated approximately 1.5 terabytes of data—about 700,000 files—containing:
- Sensitive patient records
- Insurance details
- Financial information
- User account data
The files were published online after what appears to be a failed negotiation with DaVita, signaling that the company may not have paid the ransom. BleepingComputer has not independently verified the contents of the leaked files.
DaVita Responds, Launches Investigation
A DaVita spokesperson issued the following statement:
“We are aware of the post on the dark web and are in the process of conducting a thorough review of the data involved. A full investigation regarding this incident is still underway. We are working as quickly as possible and will notify any affected parties and individuals, as appropriate.”
The company also expressed frustration over the attack:
“We are disappointed in these actions against the healthcare community and will continue to share helpful information with our vendors and partners to raise awareness on how to defend against these attacks in the future.”
DaVita has not commented on whether a ransom was paid or if any specific patient groups were impacted.
Ransomware Actor Interlock Escalates Campaign
Interlock is a relatively new ransomware group that emerged in September. It does not operate with external affiliates, but has already claimed a dozen incidents, often exfiltrating terabytes of data per victim.
A recent report by cybersecurity firm Sekoia notes that Interlock is shifting tactics, now using a method known as ‘ClickFix’—a strategy where victims are tricked into deploying info-stealers and remote access trojans (RATs). These are later used to deliver the ransomware payload.
Ongoing Threat to Healthcare Sector
This breach adds to a growing list of healthcare-related cyberattacks. Recent weeks have seen data exposure incidents involving Blue Shield of California and Yale New Haven Health, affecting millions of patients.
Patients who have shared sensitive information with DaVita are urged to remain alert for phishing attempts and report suspicious activity to the relevant authorities.
