UPDATE of August 22, 2025: On August 21, HHS added a listing for this incident that indicates that DaVita reported the incident to HHS on August 1, 2025 as affecting 2,689,826 patients.
Previous post:
There is an update to the ransomware attack involving DaVita Dialysis first reported in April. According to DaVita’s disclosures this month, unauthorized access to its servers began on March 24, 2025 and continued until April 12, 2025, when they were able to kick the attacker out and keep them out.
The incident was first reported by Reuters and by the threat actors — InterLock — who claimed that they would leak 1.5 TB of data. From the fact that the data showed up on the group’s leak site, it seems that they did follow through on their threat.
DaVita’s disclosure states that the types of information included names and “provider name, address, date of birth, social security number, health insurance-related information, and other identifiers internal to DaVita, as well as certain clinical information, such as health condition, other treatment information, and certain dialysis lab test results. For some individuals, the information included tax identification numbers, and in limited cases images of checks written to DaVita.”
Since not all states maintain public sites with breach notifications, we only have data on the number of patients affected from five states at the time of this report: South Carolina (11,570), Washington State (13,404), Oregon (915,952), Texas (81,740), and Massachusetts (7,829), which gives us a preliminary total of 1,030,495, but there will undoubtedly be more.
The incident does not yet appear on HHS’s public breach tool.
Past Breaches
DaVita Dialysis has appeared on this site more than half a dozen times over the years. Some of their incidents pre-date HHS’s breach tool:
- In March 2008, DaVita reported that a laptop stolen from an employee’s car contained unencrypted patient information that included insurance filings for dialysis services for current and former patients, including name, social security number, medical insurance coverage information, and/or other personal and health related information.
- There was also a second incident in 2008, where DaVita reported a burglary at a Florida facility.
- In August 2009, DaVita notified Maryland that Renal Treatment Centers Southeast – LP, an affiliate of DaVita, suffered a data loss when a DaVita facility in Dallas was burglarized and multiple desktop computers were stolen. The stolen hard drives contained dialysis insurance documents which contained patients’ names, addresses, SSN, insurance numbers, treatment records, progress notes, and other personal or medical information.
- In 2013, DaVita reported another laptop stolen from an employee’s car, this one affecting 11,500 patients. There is a lengthy closing statement on HHS’s breach tool about this incident:
DaVita CA Healthcare Provider 11500 11/5/2013 Theft Laptop No “DaVita, the covered entity (CE), reported that on September 6, 2013, an employee’s unencrypted laptop computer was stolen from a locked car. When the laptop was stolen, the CE believed that it was encrypted in accordance with its policy and did not contain any electronic protected health information (ePHI). Upon further investigation, the CE determined that the laptop was not encrypted and contained patient ePHI pertaining to 10,849 individuals, including diagnosis and insurance information, as well as the social security numbers of some patients. The CE provided breach notification to the affected individuals, the media, and HHS. Following the breach, the CE retrained the involved employee on physical security of laptops, retrained relevant IT personnel on standard encryption configuration processes, and issued a company-wide reminder about physical security requirements pertaining to mobile devices. It also ensured that its laptops are encrypted, revised its device management and monitoring policies and procedures and its acceptable use policy (to include “bring your own device†practices). Additionally, the CE revised its security incident response and crisis management plan and trained its security incident response team on the revisions. In the course of its review, OCR provided technical assistance regarding encryption and security management processes.
- In 2020, we learned about patient records being dumped improperly.
- In 2022, DaVita reported that 1,092 patients were affected by a phishing attack that compromised an employee’s email account.
- In July 2024, DaVita reported that 67,443 patients were affected by a breach resulting from the use of tracking pixels.
And now this incident in 2025.
This post was corrected post-publication to change the amount of data InterLock claimed to have.