On August 5, dialysis firm DaVita confirmed a data breach affecting over 900,000 individuals. The breach potentially exposed Social Security Numbers and personal health information.

Rebecca Moody, Head of Data Research at Comparitech: 

"This attack on DaVita is one of the largest data breaches via ransomware this year so far. It's the seventh largest overall, the third largest in the U.S., and the third largest on a healthcare provider. This highlights the far-reaching consequences these attacks have, particularly as ransomware gangs remain increasingly focused on stealing vast quantities of data.

Interlock, in particular, is notorious for its data theft claims. Across its 54 victims, it alleges to have stolen over 79.2 TB of data, with an average of nearly 1.5 TB per victim. This is higher than most other groups (in July 2025, for example, the average known data theft across all attacks by all groups was just over 475 GB). It was also responsible for the attacks on Texas Tech University Health Sciences Center in September 2024 where nearly 1.5 million people were affected, Brockton Neighborhood Health Center in November 2024 in which 97,488 people were affected, and, more recently, in May 2025, Texas Digestive Specialists (Gastroenterology Consultants of South Texas) in which 41,521 people were impacted."

Interlock was responsible for the disruptive attack on Kettering Health in May 2025, too. A data breach following this attack is yet to be confirmed, but in this attack, Interlock said it had stolen 941 GB in total."

Ensar Seker, CISO at SOCRadar:

"This incident with DaVita is a sobering illustration of how ransomware campaigns continue to target healthcare’s most critical third-party providers. Operating more than 2,600 dialysis clinics nationwide, DaVita serves over 200,000 patients. In April they suffered a ransomware attack, later claimed by the Interlock ransomware gang, which reportedly exfiltrated and leaked terabytes of patient data including sensitive personal health and insurance information, Social Security numbers, and financial data, impacting nearly one million individuals.

While DaVita’s contingency plans have ensured patient treatment hasn’t been interrupted, the breach highlights a key truth: operational resilience doesn’t equate to data resilience. Encrypting systems may be recoverable, but exfiltration of personal health information brings long-term repercussions from identity theft and fraud to regulatory penalties and reputational damage.

This attack underscores several health sector realities: first, the growing threat from criminal groups targeting critical third-party providers, which can create widespread exposure across multiple healthcare entities. The strategy is calculated: by hitting one vendor, threat actors pressure dozens of connected institutions. Second, healthcare providers must assume data exfiltration is part of the ransomware playbook, not a secondary outcome. As this attack shows, even without disrupting clinical workflows, the long tail of exposed data damages remains severe.

For healthcare CISOs, it’s clear that traditional defenses alone aren’t enough. Continuous monitoring of not only local infrastructure but also vendor environments, encryption of both data at rest and in transit, and segmented access controls, even within SaaS platforms, are essential. In addition, patient communication and identity protection must be swift and transparent to preserve trust, regardless of operational impact."