Ransomware scum breached kidney dialysis firm Davita’s labs database in April and stole about 2.4 million people’s personal and health-related information.

In a filing with the US Department of Health and Human Services, the global healthcare provider, which operates 2,661 dialysis centers in America, reported that the breach affected nearly 2.7 million individuals.

However, The Register has learned that after submitting the report, DaVita finalized the total number of people impacted, and HHS is expected to update the number to 2.4 million.

According to the most recent cyber incident update on the company’s website, the attack began on March 24 and continued until DaVita booted the ransomware scum from its servers on April 12, which is also when it informed the US Securities and Exchange Commission about the digital intrusion in a Form 8-K report.

The update explained that criminals stole a grab bag of sensitive information, including: 

“Our teams, working with external experts, took swift action to address and recover from a cyber incident earlier this year,” a DaVita spokesperson said in an emailed statement. 

“Regrettably, we have determined that the threat actor gained unauthorized access to our labs database, which contained some patients’ sensitive personal information,” the statement continued. “As a result, we’re notifying current and former patients and providing them with resources, including complimentary credit monitoring, to help safeguard their data.”

The digital intrusion did not interrupt patient care, according to DaVita. “We remain steadfast in our commitment to supporting our patients and contributing to the advancement of cybersecurity within the healthcare sector by sharing our experience,” the spokesperson said.

Davita filed its SEC form April 12, telling federal regulators that a “ransomware incident … encrypted certain elements of our network.” Any public company that suffers a material incident because of a breach is required to file a form with the SEC.

While the dialysis company hasn’t attributed the attack to a particular criminal group, the Interlock ransomware gang previously claimed to be responsible for the infection and posted DaVita to its leak site.

Last month, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published a joint advisory warning about Interlock ransomware affiliates infecting a “wide range” of critical infrastructure and other business sectors across North America and Europe since September 2024. 

“These actors are opportunistic and financially motivated in nature and employ tactics to infiltrate and disrupt the victim’s ability to provide their essential services,” the security advisory noted.

Since it started its operations, Interlock has taken credit for 23 confirmed ransomware attacks, plus 31 unconfirmed claims, according to Comparitech research.

Earlier this summer, Kettering Health confirmed that Interlock was responsible for a ransomware attack in May that canceled patients’ chemotherapy sessions and pre-surgery appointments.

In June, Interlock claimed to have dumped 941 GB of data belonging to the healthcare provider. Stolen information allegedly included ID cards, payment data, purchasing and financial reports, and a ton of other patient and staff details. It encompassed 732,490 files across 20,418 folders, according to the leak site.

Interlock was also behind the late-July cyberattack on the city of Saint Paul, Minnesota, that forced the state’s governor to activate the Minnesota National Guard and declare a state of emergency.

Earlier this month, Interlock claimed to dump a 43 GB haul of files stolen from Saint Paul, including scans of passports, employee records, and other internal documents. ®