DaVita, a kidney dialysis company, has experienced a ransomware attack. The organization disclosed the incident in a filing with the Securities and Exchange Commission (SEC) on April 12, 2025. Due to the recency of the incident, the investigation and response is ongoing. The nature and scope of this attack is not yet known.  

Security leaders weigh in 

Randolph Barr, CISO at Cequence:

The DaVita ransomware incident is yet another reminder of how critical it is to have a comprehensive, well-rehearsed backup and recovery strategy. To defend against threats like ransomware, backups must be stored separately from primary systems, ideally in isolated or offline environments — and protected with encryption at rest. These controls help ensure that backup data remains secure and accessible even if production systems are compromised, giving organizations a reliable path to recovery.

The situation should also be closely monitored to see whether it turns out to involve data exfiltration. The double extortion model has been a common pattern lately, with attackers threatening to sell or leak sensitive data if ransom isn’t paid.

For now, the focus should be on the patients and determining if their data was impacted. Patients should implement proactive steps towards securing their information, including checking their credit, creating fraud alerts or enabling a credit freeze, scanning for targeted phishing attempts, and checking patient portals for any unfamiliar activity or claims.

Andrew Costis, Engineering Manager of the Aversary Research Team at AttackIQ:

DaVita, a Colorado-based kidney dialysis firm, has been hit by a ransomware attack that encrypted part of its network and impacted its operations. Upon discovery, DaVita claims it deployed its response tools and protocols, but confirmed that some of the attack and response efforts have resulted in some operations being adversely impacted.

Healthcare organizations remain vulnerable to ransomware attacks due to the vast amount of sensitive patient data they store. Not only can these incidents impact organizational operations, but more importantly, compromise patient health and safety.

Healthcare organizations must treat these incidents as a learning opportunity and realize that proactivity is key. By utilizing the tactics, techniques, and procedures (TTPs) employed by threat groups, organizations can proactively test their systems against these attacks and identify any vulnerabilities before attackers exploit them, as well as ensure their programs are equipped to combat these relentless threats effectively.

Aditya K. Sood, VP of Security Engineering and AI Strategy at Aryaka

The ransomware attack on DaVita was notable for the company’s ability to maintain patient care despite being compromised, which is a sign of strong contingency planning. However, the incident still triggered significant disruption and a sharp 4% drop in DaVita’s stock, reflecting investor concern over cybersecurity risks in healthcare. The attack underscores how even well-prepared organizations remain vulnerable and highlights the operational and financial stakes tied to cyber resilience in critical sectors.

The broader implications of ransomware attacks on critical healthcare organizations like DaVita extend far beyond IT disruptions — they pose serious risks to patient safety, public health, and national resilience. When clinical systems are locked or data is compromised, essential treatments can be delayed, diagnostics interrupted, and emergency responses hindered. The potential loss of life in such situations underscores the urgency of the situation. These incidents also expose sensitive patient information, triggering regulatory scrutiny and eroding public trust. Moreover, they highlight systemic vulnerabilities across the healthcare ecosystem, including outdated infrastructure, insufficient cyber hygiene, and under-resourced security teams, making the sector a persistent and appealing target for sophisticated threat actors.

To defend against ransomware attacks, healthcare entities must adopt a proactive security posture. This includes implementing zero-trust architecture, segmenting networks, and patching vulnerabilities promptly. However, maintaining regular offline backups is one of the most crucial steps in data protection to combat the severe impacts of ransomware attacks. Firm IR plans, continuous monitoring, and staff training are essential to detect and contain threats early. The need for continuous monitoring should reassure the audience that their vigilance is a key part of the defense strategy. Strengthening third-party risk management and investing in cyber resilience is critical to ensuring care delivery is not compromised by digital threats.