Threat Intel Solutions

#### [Cyber-crime](/security/cyber_crime/)**3** Kidney dialysis giant DaVita tells 2.4M people they were snared in ransomware data theft nightmare==================================================================================================**3** Health details, tax ID numbers, even images of checks were stolen, reportedly by the Interlock gang—————————————————————————————————[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 22 Aug 2025 // 19:05 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Kidney%20dialysis%20giant%20DaVita%20tells%202.4M%20people%20they%20were%20snared%20in%20ransomware%20data%20theft%20nightmare) [](https://twitter.com/intent/tweet?text=Kidney%20dialysis%20giant%20DaVita%20tells%202.4M%20people%20they%20were%20snared%20in%20ransomware%20data%20theft%20nightmare&url=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Kidney%20dialysis%20giant%20DaVita%20tells%202.4M%20people%20they%20were%20snared%20in%20ransomware%20data%20theft%20nightmare&summary=Health%20details%2c%20tax%20ID%20numbers%2c%20even%20images%20of%20checks%20were%20stolen%2c%20reportedly%20by%20the%20Interlock%20gang) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Ransomware scum breached kidney dialysis firm Davita’s labs database in April and stole about 2.4 million people’s personal and health-related information.In a filing with the US Department of Health and Human Services, the global healthcare provider, which operates 2,661 dialysis centers in America, reported that the breach affected [nearly 2.7 million individuals](https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf).However, *The Register* has learned that after submitting the report, DaVita finalized the total number of people impacted, and HHS is expected to update the number to 2.4 million. According to the most recent [cyber incident update](https://davitasystemsoutage.com/) on the company’s website, the attack began on March 24 and continued until DaVita booted the ransomware scum from its servers on April 12, which is also when it informed the US Securities and Exchange Commission about the digital intrusion in a [Form 8-K report](https://www.sec.gov/Archives/edgar/data/927066/000119312525079593/d948299d8k.htm). The update explained that criminals stole a grab bag of sensitive information, including: …certain demographic information, such as name, address, date of birth, social security number, health insurance-related information, and other identifiers internal to DaVita, as well as certain clinical information, such as health condition, other treatment information, and certain dialysis lab test results. For some individuals, the information included tax identification numbers, and in limited cases images of checks written to DaVita.’Our teams, working with external experts, took swift action to address and recover from a cyber incident earlier this year,’ a DaVita spokesperson said in an emailed statement.’Regrettably, we have determined that the threat actor gained unauthorized access to our labs database, which contained some patients’ sensitive personal information,’ the statement continued. ‘As a result, we’re notifying current and former patients and providing them with resources, including complimentary credit monitoring, to help safeguard their data.’The digital intrusion did not interrupt patient care, according to DaVita. ‘We remain steadfast in our commitment to supporting our patients and contributing to the advancement of cybersecurity within the healthcare sector by sharing our experience,’ the spokesperson said. Davita filed its SEC form April 12, telling federal regulators that a ‘ransomware incident … encrypted certain elements of our network.’ Any public company that suffers a material incident because of a breach is required to file a form with the SEC.While the dialysis company hasn’t attributed the attack to a particular criminal group, the Interlock ransomware gang previously claimed to be responsible for the infection and posted DaVita to its leak site.Last month, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) [published a joint advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a) warning about Interlock ransomware affiliates infecting a ‘wide range’ of critical infrastructure and other business sectors across North America and Europe since September 2024.’These actors are opportunistic and financially motivated in nature and employ tactics to infiltrate and disrupt the victim’s ability to provide their essential services,’ the security advisory noted.* [Ransomware scum leak patient data after disrupting chemo treatments at Kettering](https://www.theregister.com/2025/06/04/ransomware_scum_leak_kettering_patient_data/)* [Ransomware crew spills Saint Paul’s 43GB of secrets after city refuses to cough up cash](https://www.theregister.com/2025/08/13/ransomware_crew_spills_saint_pauls/)* [Minnesota governor calls in the troops after St Paul cyberattack](https://www.theregister.com/2025/07/30/minnesota_gov_calls_in_national/)* [For healthcare orgs, DR means making sure docs can save lives during ransomware infections](https://www.theregister.com/2025/04/02/disaster_recovery_healthcare/)Since it started its operations, Interlock has taken credit for [23 confirmed ransomware attacks](https://www.comparitech.com/news/dialysis-firm-davita-notifies-915k-people-of-data-breach-that-compromised-ssns-and-medical-info/), plus 31 unconfirmed claims, according to Comparitech research.Earlier this summer, [Kettering Health confirmed](https://ketteringhealth.org/cybersecurity-incident-faq/) that Interlock was responsible for a ransomware attack in May that canceled patients’ chemotherapy sessions and pre-surgery appointments.In June, [Interlock claimed](https://www.theregister.com/2025/06/04/ransomware_scum_leak_kettering_patient_data/) to have dumped 941 GB of data belonging to the healthcare provider. Stolen information allegedly included ID cards, payment data, purchasing and financial reports, and a ton of other patient and staff details. It encompassed 732,490 files across 20,418 folders, according to the leak site.Interlock was also behind the late-July cyberattack on the city of Saint Paul, Minnesota, that forced the state’s governor to activate the Minnesota National Guard and [declare a state of emergency](https://www.theregister.com/2025/07/30/minnesota_gov_calls_in_national/).Earlier this month, [Interlock claimed](https://www.theregister.com/2025/08/13/ransomware_crew_spills_saint_pauls/) to dump a 43 GB haul of files stolen from Saint Paul, including scans of passports, employee records, and other internal documents. ® **Get our** [Tech Resources](https://whitepapers.theregister.com/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Kidney%20dialysis%20giant%20DaVita%20tells%202.4M%20people%20they%20were%20snared%20in%20ransomware%20data%20theft%20nightmare) [](https://twitter.com/intent/tweet?text=Kidney%20dialysis%20giant%20DaVita%20tells%202.4M%20people%20they%20were%20snared%20in%20ransomware%20data%20theft%20nightmare&url=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Kidney%20dialysis%20giant%20DaVita%20tells%202.4M%20people%20they%20were%20snared%20in%20ransomware%20data%20theft%20nightmare&summary=Health%20details%2c%20tax%20ID%20numbers%2c%20even%20images%20of%20checks%20were%20stolen%2c%20reportedly%20by%20the%20Interlock%20gang) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybercrime](/Tag/Cybercrime/)* [Healthcare](/Tag/Healthcare/)* [Ransomware](/Tag/Ransomware/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Healthcare](/Tag/Healthcare/)* [Ransomware](/Tag/Ransomware/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Pfizer](/Tag/Pfizer/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Kidney%20dialysis%20giant%20DaVita%20tells%202.4M%20people%20they%20were%20snared%20in%20ransomware%20data%20theft%20nightmare) [](https://twitter.com/intent/tweet?text=Kidney%20dialysis%20giant%20DaVita%20tells%202.4M%20people%20they%20were%20snared%20in%20ransomware%20data%20theft%20nightmare&url=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Kidney%20dialysis%20giant%20DaVita%20tells%202.4M%20people%20they%20were%20snared%20in%20ransomware%20data%20theft%20nightmare&summary=Health%20details%2c%20tax%20ID%20numbers%2c%20even%20images%20of%20checks%20were%20stolen%2c%20reportedly%20by%20the%20Interlock%20gang) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/22/davita_ransomware_infection/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **3** COMMENTS #### More about* [Cybercrime](/Tag/Cybercrime/)* [Healthcare](/Tag/Healthcare/)* [Ransomware](/Tag/Ransomware/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Healthcare](/Tag/Healthcare/)* [Ransomware](/Tag/Ransomware/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Pfizer](/Tag/Pfizer/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Ransomware crews don’t care about your endpoint security — they’ve already killed itSome custom malware, some legit software toolsCyber-crime8 days -| 24](/2025/08/14/edr_killers_ransomware/?td=keepreading) [#### Short circuit: Electronics supplier to tech giants suffers ransomware shutdownAmazon, Apple, Google, and Microsoft among major customersCyber-crime13 hrs -|](/2025/08/22/data_io_ransomware_attack_temporarily/?td=keepreading) [#### Manpower franchise discloses data theft after RansomHub posts alleged stolen dataAnd yes, there’s the usual credit monitoringCyber-crime11 days -| 4](/2025/08/12/manpower_franchise_data_breach/?td=keepreading) [#### Could agentic AI save us from the cybercrisis?Many hands make light work in the SOCSponsored feature](/2025/08/07/could_agentic_ai_save/?td=keepreading) [#### Oh, great.Three notorious cybercrime gangs appear to be collaboratingScattered Spider, ShinyHunters, and Lapsus$ spent the weekend bragging to each other on a Telegram channelCyber-crime11 days -| 1](/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/?td=keepreading) [#### SonicWall investigates ‘cyber incidents,’ including ransomware targeting suspected 0-dayBypassing MFA and deploying ransomware…sounds like something that rhymes with ‘schmero-day’Cyber-crime19 days -| 1](/2025/08/04/sonicwall_investigates_cyber_incidents/?td=keepreading) [#### ‘Impersonation as a service’ the next big thing in cybercrimeUnderground forums now recruiting English-speaking social engineersCyber-crime1 day -|](/2025/08/21/impersonation_as_a_service/?td=keepreading) [#### FBI: Russian spies exploiting a 7-year-old Cisco bug to slurp configs from critical infrastructureSnarfing up config files for ‘thousands’ of devices…just for giggles, we’re sureCyber-crime3 days -| 10](/2025/08/20/russian_fsb_cyberspies_exploiting_cisco_bug/?td=keepreading) [#### Typhoon-adjacent Chinese crew broke into Taiwanese web hostIs that a JuicyPotato on your network?Cyber-crime8 days -|](/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/?td=keepreading) [#### McDonald’s not lovin’ it when hacker exposes nuggets of rotten securityBurger slinger gets a McRibbing, reacts by firing staffer who helpedSecurity3 days -| 68](/2025/08/20/mcdonalds_terrible_security/?td=keepreading) [#### Ex-White House cyber, counter-terrorism guru: Microsoft considers security an annoyance, not a necessityComment Tells *The Reg* China’s ability to p0wn Redmond’s wares ‘gives me a political aneurysm’CSO15 days -| 40](/2025/08/08/exwhite_house_cyber_and_counterterrorism/?td=keepreading) [#### Fortinet discloses critical bug with working exploit code amid surge in brute-force attemptsIf there’s smoke?Patches10 days -| 10](/2025/08/13/fortinet_discloses_critical_bug/?td=keepreading)

Related Tags:
Strawberry Tempest

Storm-0875

Octo Tempest

NAICS: 524 – Insurance Carriers And Related Activities

NAICS: 621 – Ambulatory Health Care Services

NAICS: 62 – Health Care And Social Assistance

NAICS: 52 – Finance And Insurance

NAICS: 622 – Hospitals

Roasted 0ktapus

Associated Indicators: