The Interlock ransomware group has announced the theft of 20TB of sensitive patient information from DaVita Healthcare, claiming to have released 1.5TB of the data to the public while offering the rest for sale. This breach encompasses the personal details of millions of patients.
DaVita, a prominent healthcare provider, now faces the threat of exposing critical patient information as a result of a cyberattack attributed to the Interlock ransomware group. The attackers have started to distribute what they assert is stolen patient data on their dark web leak site, raising alarm among those receiving essential kidney dialysis treatment.
This incident follows DaVita’s recent disclosure to the US Securities and Exchange Commission regarding the cyberattack, which reportedly led to a 3% drop in the company’s stock. DaVita operates over 2,500 dialysis centers across the United States and has an additional presence in 13 other countries, underscoring the scale of the potential data breach.
The attack on DaVita, which reportedly took place around April 12, involved the encryption of portions of the company’s computer systems, disrupting their internal operations. Following the initial breach, DaVita indicated they were activating contingency plans to ensure that patient care remained uninterrupted for individuals suffering from end-stage renal disease who rely on dialysis multiple times a week.
Interlock, a relatively new ransomware group that began publicly tracking its victims in October 2024, claims to have stolen approximately 1.51 terabytes of data from DaVita. They have provided evidence of this alleged data on their dark web platform, raising significant concerns regarding the confidentiality of DaVita’s patient base.
DaVita has confirmed awareness of the dark web activity and is actively conducting a thorough examination of the compromised data. A company spokesperson expressed dismay at the actions taken against the healthcare sector and reiterated their commitment to sharing critical insights with their partners and vendors to bolster defenses against future attacks.
Given the magnitude of the breach, it is crucial to consider that DaVita serves approximately 281,100 patients globally through an extensive network of more than 3,000 outpatient dialysis centers as of 2024.
Cybersecurity experts have noted a marked increase in confirmed attacks linked to the Interlock group since it emerged on the scene. Notably, this group was associated with a prior attack on Texas Tech University Health Sciences Centre, which compromised the medical records of over 530,000 individuals. This track record raises serious red flags regarding the current situation faced by DaVita and its patients, with the complete extent of the data involved and its potential implications yet to be fully assessed as DaVita continues its investigation.
Experts such as Paul Bischoff, Consumer Privacy Advocate at Comparitech, emphasize that Interlock has demonstrated a pattern of demanding ransom for decrypting systems and erasing stolen data. There have already been numerous confirmed and unconfirmed attacks attributed to this group, and the healthcare sector has experienced a troubling rise in ransomware attacks. Bischoff highlighted that nearly 25.7 million records were breached across 160 ransomware incidents within the healthcare field in 2024 alone.
This case illustrates the profound impact that cyberattacks can have on patient care and long-term data privacy. Utilizing the MITRE ATT&CK framework, potential adversary tactics in this breach may include initial access through phishing or exploiting software vulnerabilities, followed by persistence methods to maintain control of the compromised systems, and privilege escalation to gain unauthorized access to sensitive data. As DaVita navigates this crisis, the implications for their operations and their patients remain to be seen.
