Interlock Ransomware Group Targets DaVita Healthcare, Exposing Millions of Patients’ Data
In a significant breach of cybersecurity, the Interlock ransomware group has declared that it has stolen an astonishing 20 terabytes of sensitive patient data from DaVita Healthcare, a leading provider of kidney dialysis services. The group has leaked 1.5 terabytes of the information thus far and is reportedly demanding payment for access to the remaining data, which includes personal details of millions of patients.
This alarming turn of events places patients receiving critical kidney dialysis treatment from DaVita at risk of having their sensitive information exposed. DaVita operates more than 2,500 dialysis centers across the United States and hundreds more in 13 other countries, underscoring the potential scale of the data breach and its implications for patient privacy.
The situation unravelled just two weeks after DaVita informed the U.S. Securities and Exchange Commission about the ransomware attack. Following that announcement, the company’s stock experienced a notable decline, plummeting by 3%. Reports indicate that financial markets reacted sharply to news of the cyberattack, a clear indication that investors are concerned about the long-term ramifications of such a significant breach in a healthcare context.
As documented by Hackread.com, the cyberattack on DaVita occurred around April 12th, leading to the encryption of various parts of the organization’s computer systems. This breach disrupted DaVita’s internal operations, prompting the company to activate contingency plans aimed at maintaining uninterrupted patient care. This is critical for individuals diagnosed with end-stage renal disease, who often require dialysis several times a week in order to survive.
Interlock, which emerged onto the cybercrime scene as a relatively new ransomware group in October 2024, claims to have obtained a staggering 1.51 terabytes of data from DaVita. The group has already released samples of what it asserts is this stolen data on its dark web leak site. The exposure of such information raises severe concerns regarding patient privacy and can have long-lasting repercussions for individuals whose data may be compromised.
In response to the breach, DaVita has acknowledged the dark web postings and is conducting a thorough investigation into the incident. A spokesperson for the company expressed disappointment over the recent actions against the healthcare community and emphasized their commitment to providing relevant information to vendors and partners aimed at raising awareness regarding cybersecurity threats. The spokesperson stated, “We are disappointed in these actions against the healthcare community and will continue to share helpful information to raise awareness on how to defend against these attacks in the future.”
The magnitude of this breach becomes all the more concerning when considering that DaVita serves approximately 281,100 patients globally through its extensive network of over 3,000 outpatient dialysis centers as of 2024. The scale of the data involved signifies potential threats to patient security and privacy on an unprecedented level.
Experts in cybersecurity, including Paul Bischoff from Comparitech, have noted that Interlock has been linked to an increasing number of confirmed attacks since its inception. Bischoff highlighted a previous incident where the group was responsible for a cyberattack on Texas Tech University Health Sciences Centre. That attack compromised the medical information of more than 530,000 individuals, serving as a grim reminder of the serious implications associated with this and other ransomware incidents.
The current situation at DaVita raises crucial questions about the wider impact of such cyberattacks within the healthcare sector. The full scope of the data breach remains undetermined as DaVita continues its investigation, with potential consequences on data privacy and patient trust looming large.
Additionally, Paul Bischoff has shed light on the broader context of cyberattacks on healthcare systems, stating that Interlock began identifying victims in October 2024, often demanding ransom for decrypting systems and deleting stolen data. Comparitech has tracked numerous confirmed and unconfirmed attacks attributed to this group, demonstrating the significant threat posed to the healthcare industry at large. Bischoff remarked, “In 2025 alone, there have been 17 confirmed ransomware attacks on U.S. healthcare companies, with numerous others remaining unverified.” He further outlined that approximately 25.7 million records were breached across 160 ransomware incidents targeting the healthcare sector in 2024.
As the investigation unfolds and more facts come to light, the focus continues to be on the protection of sensitive patient information and the efforts necessary to mitigate future cyber threats. The DaVita incident serves as a stark reminder of the ever-evolving landscape of cybersecurity risks in a world increasingly reliant on technology for health care delivery.