DaVita Ransomware Attack Exposes Data of Nearly 2.7 Million Individuals
Summary
Hide â˛
Show âŧ
DaVita, a kidney dialysis provider, confirmed that a ransomware attack exposed the personal and health information of nearly 2.7 million individuals. The breach occurred between March 24 and April 12, 2025, affecting data from DaVita's dialysis labs database. The Interlock ransomware gang claimed responsibility and leaked the data after failed negotiations. The compromised data includes names, addresses, social security numbers, health insurance details, and medical information. DaVita serves over 265,400 patients across 3,113 outpatient dialysis centers globally. The company reported revenues exceeding $12 billion in 2024 and $3.3 billion for the second quarter of 2025. The breach was detected on April 12, 2025, and the attackers were evicted from the network shortly after. The stolen data was leaked on the dark web, and DaVita has confirmed the legitimacy of the leaked files.
Timeline
-
22.08.2025 12:38 đ° 1 articles
DaVita Ransomware Attack Exposes Data of Nearly 2.7 Million Individuals
DaVita confirmed that a ransomware attack exposed the personal and health information of nearly 2.7 million individuals. The breach occurred between March 24 and April 12, 2025, and involved the theft of sensitive data from DaVita's dialysis labs database. The Interlock ransomware gang claimed responsibility and leaked the data after negotiations failed. The compromised data includes names, addresses, social security numbers, health insurance details, medical information, and in some cases, images of personal checks. The Department of Health's Office for Civil Rights (OCR) confirmed that 2,689,826 individuals were affected, while DaVita's internal investigation found that 2.4 million individuals were impacted.
Show sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
Information Snippets
-
DaVita serves over 265,400 patients across 3,113 outpatient dialysis centers.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
-
The breach occurred between March 24 and April 12, 2025.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
-
The attackers gained access to DaVita's dialysis labs database, which included personal, health insurance-related, and health information.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
-
The compromised data includes names, addresses, social security numbers, health insurance details, medical information, and in some cases, images of personal checks.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
-
The Interlock ransomware gang claimed responsibility for the breach and leaked the data after failed negotiations.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
-
The stolen data was leaked on the dark web, and DaVita confirmed the legitimacy of the leaked files.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
-
The Department of Health's Office for Civil Rights (OCR) confirmed that 2,689,826 individuals were affected.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
-
DaVita's internal investigation found that 2.4 million individuals were affected.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
-
Interlock ransomware gang emerged in September 2024 and has targeted multiple industries, including healthcare.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
-
Interlock has been linked to ClickFix and malware attacks deploying a remote access trojan called NodeSnake.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
-
Interlock also claimed to have hacked Kettering Health, a healthcare provider with over 120 outpatient facilities.
First reported: 22.08.2025 12:38đ° 1 source, 1 articleShow sources
- DaVita says ransomware gang stole data of nearly 2.7 million people â www.bleepingcomputer.com â 22.08.2025 12:38
Similar Happenings
Salesloft OAuth breach exposes Salesforce customer data via Drift AI chat agent
A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.
Data breach at Auchan exposes sensitive information of hundreds of thousands of customers
French retailer Auchan experienced a cyberattack that exposed sensitive personal data of several hundred thousand customers. The compromised data includes full names, titles, postal addresses, email addresses, phone numbers, and loyalty card numbers. The breach did not affect bank data, passwords, or PIN numbers. The company has notified affected customers and the French Data Protection Authority (CNIL). Auchan has advised customers to be vigilant against potential phishing attacks using the stolen information. The incident follows similar breaches at other large French entities, but no evidence links these attacks to a coordinated campaign. This is the second data breach that Auchan has disclosed over the past year. The company sent the same notification to its customers in November 2024.
Ransomware attack on Inotiv disrupts operations
Inotiv, a U.S. pharmaceutical company, experienced a ransomware attack on August 8, 2025, resulting in the encryption of systems and data. The attack, claimed by the Qilin ransomware group, has impacted business operations, including databases and internal applications. The company is working to restore systems and mitigate disruptions. The Qilin ransomware group claims to have stolen 162,000 files totaling 176GB and has published data samples on their leak site. Inotiv has engaged external security experts and notified law enforcement. The company employs around 2,000 specialists and has an annual revenue exceeding $500 million. The attack has caused significant disruptions to business operations, with no estimated timeline for full recovery. The Qilin ransomware group has also targeted Creative Box Inc. (CBI), a subsidiary of Nissan, stealing 4TB of data, including 3D vehicle design models and internal reports.
Allianz Life data breach affects 1.1 million customers via Salesforce compromise
Allianz Life, a U.S. insurance subsidiary of Allianz SE, experienced a data breach in July 2025. Hackers accessed a third-party cloud CRM system, stealing personal information of 1.1 million customers. The breach involved a malicious OAuth app linked to Salesforce instances, leading to the exfiltration of sensitive data. The extortion group ShinyHunters, tracked as UNC6040, claimed responsibility and leaked the stolen data. The breach is part of a broader campaign targeting multiple high-profile companies, including Google, Adidas, Workday, Qantas, Pandora, and Workiva. Allianz Life confirmed the breach but declined to provide additional details due to an ongoing investigation. Qantas Group executives reduced their short-term compensation by 15% due to the impact of the cyberattack on customers, which affected approximately 5.7 million passengers.