Kidney dialysis service provider, DaVita, in Denver, CO, submitted a data breach report to the HHS’ Office for Civil Rights due to a ransomware attack on April 12, 2025. The attackers acquired access to its system, exfiltrated sensitive information, and encrypted files on some of its systems. Although the attack temporarily disrupted part of its operations, DaVita continued to provide critical care to patients.
DaVita earlier announced that the ransomware group acquired access to a lab database that contains patient data. The company reviewed the database and other impacted areas of the system and confirmed the compromise of 2,689,826 individuals’ protected health information (PHI). This is the third-biggest healthcare data breach reported so far in 2025. The cyberattack on Episource that impacted 5.5 million individuals was the biggest healthcare data breach, while the Blue Shield of California website tracking data breach that impacted 4.7 million individuals was the second biggest.
DaVita sent notification letters to the impacted individuals and offered them free Experian IdentityWorks credit monitoring and identity theft protection services for 12-24 months. The notification letters shared more information regarding the data breach without saying it was due to ransomware, but the Interlock ransomware group admitted it is behind the cyberattack. DaVita reported a security incident that allowed unauthorized access to selected DaVita network servers, largely at its labs. DaVita discovered the attack on April 12, 2025, and immediately secured its systems on the same day. The assistance of third-party digital forensic specialists helped contain and eradicate the threat, and remediate the incident.
According to the forensic investigation, initial system access happened on March 24, 2025, and continued until April 12, 2025. Data in the dialysis laboratories database was compromised. The Interlock ransomware group claimed to have stolen 20+ TB of patient data during the attack.
DaVita reported around June 18, 2025 the types of data affected in the incident, which may include: Demographic data, such as name, address, birth date, medical insurance data, Social Security number; Clinical data, such as medical condition, other treatment details, and some dialysis laboratory test data; and Tax details, such as tax ID numbers and photos of checks issued to DaVita.
DaVita implemented extra security monitoring solutions and improved system controls to avoid identical incidents down the road. DaVita did not receive any report of patient data misuse arising from the incident. But DaVita made an SEC filing on August 5, 2025, reporting that the attack cost the company $13.5 million in the second quarter of 2025. The company spent $12.5 million on administrative costs remediating the attack, appointing third-party cybersecurity experts, and recovering systems. $1.0 million was spent on patient care costs. The $13.5 million cost does not include the losses caused by business interruption.
More losses are expected due to DaVita’s or its business associates’ noncompliance with HIPAA privacy and security regulations; the costs related to noncompliance or breach caused by the misappropriation, loss, or other unauthorized use or sharing of confidential data; and a lower revenue brought about by lower patient admissions and continuing workforce challenges.