In April 2025, DaVita, a kidney dialysis facility, mentioned a security breach in its SEC filing, though during the time, it was uncertain how many people were affected by the theft of sensitive data. The investigation and data analysis have been ongoing for 3 months. DaVita already notified the State Attorneys General concerning the incident, and the scope of the data breach is now clearer.
According to the state AG reports to date, the breach has impacted over 1 million individuals. However, not all states have released data breach reports, even if all states have data breach notification regulations like those of HIPAA. Only some announced to the public the number of affected state residents. From the 2,675 outpatient dialysis centers located in 43 states managed by DaVita, the total number of confirmed affected individuals are as follows, but the actual number could be several times larger.
- Massachusetts – 7,829 affected individuals
- Oregon – 915,952 affected individuals
- Texas – 81,740 affected individuals
- South Carolina – 11,570 affected individuals
- Washington – 13,404 affected individuals
- Confirmed Total – 1,030,495 affected individuals
Currently, the DaVita incident is not listed on the HHS Office for Civil Rights breach portal. Usually, the posting of a breach report is delayed by one to two weeks from the time OCR receives it. Therefore, a listing will likely be posted in two weeks confirming the number of people affected.
DaVita sent notification letters with more details about the data breach, although they did not state that it was caused by ransomware. The Interlock ransomware group did claim responsibility for the attack and the theft of 20 TB of data files.
DaVita stated that the cyberattack involved unauthorized access to some DaVita network servers, mainly at its labs. The company discovered the attack on April 12, 2025, and removed the threat from its networks on the same day. Third-party digital forensics specialists investigated the incident and helped in the control, removal, and remediation of the threat.
The investigation reported that preliminary access to its system happened on March 24, 2025, and continued up to April 12, 2025. The incidents resulted in the breach of data contained in the dialysis centers’ database. The Interlock ransomware group said it stole 20+ TB of data, including over 200 million rows of patient records.
DaVita stated the types of information affected were confirmed on or about June 18, 2025. The types of data exposed during the attack differed from one person to another and may consist of:
- Demographic data – name, address, birth date, Social Security number, medical insurance-related data, and other identifiers related to DaVita
- Clinical data – medical condition, other treatment details, and some dialysis laboratory test results
- Tax data – tax ID numbers and photos of checks written to DaVita for some individuals
DaVita mentioned that it implemented additional security tracking tools and upgraded system controls to avoid the recurrence of the same incident. DaVita did not receive any report of improper use of patient information due to the security incident, however, as a safety measure, it is providing the impacted patients free Experian IdentityWorks identity theft protection service membership for 1-2 years.