Full Report
Kidney dialysis firm DaVita has confirmed that a ransomware gang that breached its network stole the personal and health information of nearly 2.7 million individuals. [...]
Analysis Summary
# Incident Report: DaVita Ransomware Attack and Data Exfiltration
## Executive Summary
The kidney dialysis provider DaVita suffered a significant ransomware attack where threat actors gained unauthorized access to their network, leading to the encryption of parts of the network and the exfiltration of sensitive personal and health data belonging to nearly 2.7 million individuals. The incident was discovered in April, the Interlock ransomware group claimed responsibility and subsequently leaked the stolen data after negotiations failed. DaVita confirmed the data theft and began notifying affected parties.
## Incident Details
- Discovery Date: April 12, [Year inferred as 2025, given context]
- Incident Date: March 24, [Year inferred as 2025] (Initial Access)
- Affected Organization: DaVita (Kidney dialysis firm)
- Sector: Healthcare
- Geography: United States and operations across 13 other countries.
## Timeline of Events
### Initial Access
- Date/Time: March 24, [Year inferred as 2025]
- Vector: Not explicitly detailed, but resulted in unauthorized network access.
- Details: Attackers gained access to the DaVita network.
### Lateral Movement
- Details: Evidence suggests attackers were inside the network between March 24 and April 12, where they accessed the dialysis labs database and exfiltrated data prior to detection.
### Data Exfiltration/Impact
- Date/Time: Occurred between March 24 and April 12.
- Impact: Interlock claimed to have stolen approximately 1.5 terabytes of data. Data compromised included personal information (Name, Address, DOB, SSN, Tax IDs), health insurance details, health information (condition, treatment data, lab results), and potentially images of personal checks.
- Notification: On August 22, 2025, it was confirmed that nearly 2.7 million people were impacted.
### Detection & Response
- Date/Time: Incident detected on April 12, [Year inferred as 2025].
- Response Actions: Attackers were evicted from the network on April 12. DaVita created a dedicated incident website. They confirmed the legitimacy of the leaked files on June 18, [Year inferred as 2025]. The U.S. Department of Health's Office for Civil Rights was notified.
## Attack Methodology
- Initial Access: Unauthorized network access (Specific vector unknown).
- Persistence: Implied, as access was maintained from March 24 until April 12.
- Privilege Escalation: Not specifically detailed.
- Defense Evasion: Not specifically detailed, but attackers operated undetected for nearly three weeks.
- Credential Access: Implied, necessary to access sensitive databases.
- Discovery: Implied, to locate and exfiltrate data from the "dialysis labs database."
- Lateral Movement: Implied, required to access data beyond the initial point of entry.
- Collection: Focused on the dialysis labs database.
- Exfiltration: 1.5 TB of data stolen prior to eviction.
- Impact: Partial encryption of the network (mentioned in initial April disclosure) and massive data exfiltration.
## Impact Assessment
- Financial: Not specified, but organizational disruption occurred.
- Data Breach: Data of 2,689,826 individuals compromised, including highly sensitive PII and PHI (SSN, health conditions, treatment data).
- Operational: Operations were disrupted after attackers partially encrypted the network over a weekend in April.
- Reputational: Significant public reporting regarding the large-scale patient data breach.
## Indicators of Compromise
- Network Indicators: [None provided/Defanged]
- File Indicators: Interlock ransomware payload (if deployed), NodeSnake RAT (associated with the group but not confirmed in this attack).
- Behavioral Indicators: Extended covert access to a critical database (dialysis labs) over approximately three weeks.
## Response Actions
- Containment: Attackers were detected and evicted from the network on April 12.
- Eradication: Not detailed, but implied subsequent to detection and eviction.
- Recovery: DaVita was reportedly operating after the weekend disruption in April. Affected individuals are being notified.
## Lessons Learned
- Internal network segmentation and prompt detection mechanisms need continuous review, as the threat actor maintained access for almost three weeks before detection.
- Robust data access logging and monitoring, especially for core operational and patient data systems (dialysis labs database), were insufficient to prevent prolonged data staging/exfiltration.
## Recommendations
- Enhance security monitoring around critical patient health information (PHI) repositories to detect anomalous data access or bulk collection attempts immediately.
- Review and enforce robust identity and access management policies, particularly for systems storing SSNs and financial data.
- Implement continuous threat hunting to identify covert persistence mechanisms utilized by sophisticated ransomware groups like Interlock.