Description
DaVita, a United States and international operator of a large chain of outpatient dialysis clinics, distributed breach notification letters on August 5, 2025. The letter was sent to patients to inform them of a security event that was first detected on March 24, 2025, when an unauthorized individual gained access to some of DaVita’s network servers. The information of 915,952 patients was exposed and could have included names, birth dates, addresses, Social Security numbers (SSNs), Tax ID numbers, and images of checks. The exposed data also included medical conditions, treatments and test results. A ransomware group called Interlock claimed responsibility for the breach on April 25, 2025, saying they obtained 1.5 TB of data from DaVita’s network. Posted images of some of the stolen documents substantiated the claim. Interlock first made itself known in October 2024 and has since been linked to 23 confirmed ransomware attacks. The gang is known to use a mix of encryption and data exfiltration for extortion purposes.
Identify Indicators of Compromise (IoCs)
The attack was initially discovered on April 12, 2025. The company says that the use of monitoring tools and an operational disruption served as alerts to activate their incident response plan. The company says that normal patient care was provided with the help of contingency measures and backup systems.
Actions Taken
DaVita immediately engaged an external forensics team to determine the nature and scope of the compromise, and the team then worked with DaVita’s internal staff to help with containment, threat eradication, and remediation. The company also says they reported the incident to law enforcement, who have also been helping in the investigation. DaVita says that since the attack, they have introduced additional safeguard measures to protect their systems. Additional security monitoring tools have been introduced, along with enhanced system controls.
Prevention
From what we have been able to gather, DaVita seems to have had an effective incident response plan (IRP) when they discovered unauthorized access to the network. An outline of the key steps necessary to quickly engage cybersecurity firms and law enforcement is crucial to mobilizing the resources and expertise required during a breach. The incident response plan should have clear processes for the isolation of systems to contain the spread of the threat and reduce operational disruption.
As with most things, the sooner you can implement your incident response plan (IRP), the greater the chance you have of mitigating damage from an attack. Some things you should do in advance include the following:
- Isolate sensitive systems such as critical servers and databases on separate network segments. This will help you to contain breaches better and also prevent lateral movement by an attacker within your network.
- Monitoring tools such as SIEMs and endpoint detection systems help you to detect anomalies and unauthorized activity that may be the result of ransomware infiltration, unusual user behavior, or access.
- Enforcing least privilege principles using robust access controls and multifactor authentication (MFA) will reduce the likelihood of unauthorized access to your production systems and to sensitive personal information.
One of the best ways to expedite the detection of vulnerabilities that can be exploited by an attacker is to perform regular security audits to assess your risk posture. This could be in the form of risk-based threat assessments, penetration tests, or other external security reviews. Proactively assessing your likely threat landscape will not only help you identify your most vulnerable attack surfaces but also provide you with good intelligence to prioritize your security initiatives more effectively.
Review your security program for your teams to minimize your risk.
ARTICLE: How to Reduce the Threat of Ransomware
CYBERSECURITY NEWS, UPDATES, INSIGHTS, and RESOURCES
Cybersecurity Awareness Posters
