Active breach tracker Denver, Colorado Disclosed August 1, 2025

DaVita Data Breach 2025: Interlock Ransomware Hits Largest US Dialysis Provider, 2.7M Patients Exposed. What To Do

DaVita Inc. (NYSE: DVA), the largest US dialysis provider, disclosed an April 12, 2025 ransomware attack by the Interlock group that exposed protected health information of 2,689,826 patients. Names, SSNs, dialysis lab results, health insurance data, and some tax IDs were taken. ~1.5TB posted to Interlock's leak site. Three class actions filed. Experian identity restoration offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Mar 24, 2025

Interlock gains initial access to DaVita network (primarily laboratory systems)

Apr 12, 2025

DaVita detects intrusion, isolates systems, activates incident response

Apr 12, 2025

Attacker gained access

Apr 14, 2025

DaVita files Form 8-K with the SEC disclosing the security incident

Apr 24, 2025

Interlock claims responsibility and posts ~1.5TB of stolen data to its leak site

Aug 1, 2025

DaVita files HIPAA breach report with HHS OCR (2,689,826 individuals)

Aug 1, 2025

First class-action complaints filed in D. Colo.

Aug 5, 2025

DaVita begins mailing patient notification letters

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Health conditions and other treatment information Dialysis lab test results

03

Contact & insurance

Phishing + targeted scams

Full name Home address Health insurance information Internal DaVita identifiers Tax identification number (some individuals) Images of checks written to DaVita (limited number)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Reid v. DaVita Inc., 1:25-cv-01362 (D. Colo.) Jenkins, et al. v. DaVita Inc., 1:25-cv-01358-SBP (D. Colo.) Migliaccio & Rathod LLP (investigation) The Lyon Firm (investigation) Edelson PC (investigation)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

DaVita Inc. is the largest dialysis provider in the United States. It runs roughly 3,100 outpatient dialysis centers, plus inpatient critical-care and laboratory services, and trades on the NYSE under the ticker DVA. On April 12, 2025, DaVita detected an active intrusion on its network. Forensic investigators later established that the Interlock ransomware group had been inside since March 24, 2025, with access concentrated on DaVita’s laboratory systems.

DaVita filed a Form 8-K with the SEC on April 14, 2025, characterizing the event as “a ransomware incident that encrypted certain elements” of its network and was “causing some operational disruption.” On April 24, 2025, Interlock claimed responsibility and posted a listing on its dark-web leak site advertising roughly 1.5 terabytes of DaVita data across approximately 683,000 files. Interlock further claimed it held over 20 TB in total, with more than 200 million rows of patient records.

DaVita filed its HIPAA breach report with the HHS Office for Civil Rights on August 1, 2025, reporting 2,689,826 individuals affected. Patient notification letters began mailing on August 5, 2025.

What was exposed

Per DaVita’s notification letter, the affected information varies by individual but may include:

  • Name, address, date of birth
  • Social Security number
  • Health insurance information
  • Internal DaVita identifiers
  • Health conditions and other treatment information
  • Dialysis lab test results
  • Tax identification number (some individuals)
  • Images of checks written to DaVita (limited number)

The mix matters. This is not a benign “name and address” leak. For a sizeable population of dialysis patients, clinical lab results and treatment information sit on the Interlock leak site alongside SSNs, which puts both medical identity fraud and traditional financial identity theft in scope.

Interlock and the leak-site posture

Interlock is a ransomware-as-a-service operation that emerged in 2024 and runs the standard double-extortion playbook: encrypt for operational leverage, exfiltrate for blackmail leverage. DaVita appears not to have paid the ransom. The DaVita listing remained live on Interlock’s leak site after disclosure, and the ~1.5 TB tranche was released. Independent breach-tracking outlets including DataBreaches.net and BlackFog have documented the listing. (HealthConsent does not link to or mirror the leak-site content.)

Operational impact

DaVita publicly stated that patient care continued without interruption throughout the incident. The company moved to manual processes and backup protocols at affected facilities, isolated compromised systems, and brought in external forensics. DaVita disclosed approximately $13.5 million in incident-related costs in its Q2 2025 results, covering forensics, remediation, and patient protection services.

Litigation and regulatory status

Within weeks of DaVita’s August notification mailings, at least three putative class actions had been filed in the U.S. District Court for the District of Colorado, including:

  • Reid v. DaVita Inc., No. 1:25-cv-01362 (D. Colo.)
  • Jenkins v. DaVita Inc., No. 1:25-cv-01358-SBP (D. Colo.)

Plaintiffs assert negligence, breach of implied contract, and violations of common-law and statutory duties under the FTC Act and HIPAA, arguing DaVita failed to implement adequate data-security measures. The HHS OCR investigation remains open. State attorney general notifications were filed in jurisdictions that require them; no public AG enforcement action has been announced.

What DaVita is offering

DaVita is offering complimentary identity restoration services through Experian to affected individuals. Per the notification letter, enrollment is available until November 28, 2025. The activation code is included in the mailed letter.

What to do if you are a DaVita patient

  1. Enroll in the offered Experian identity restoration program before the enrollment deadline using the code from your letter.
  2. Freeze your credit at all three nationwide bureaus (Equifax, Experian, TransUnion). Full SSN is in scope. Freezes are free and reversible.
  3. File IRS Form 14039 (Identity Theft Affidavit) if you see any unfamiliar tax activity — tax identification numbers and check images are in scope for some patients.
  4. Watch your insurance Explanation of Benefits and Medicare Summary Notices for unfamiliar dialysis-related or other claims. Medical identity theft is the harder-to-detect downstream consequence here.
  5. Set up account alerts on any bank account from which you have written checks to DaVita. Check images on the leak site can support targeted check-fraud attempts.
  6. Be skeptical of dialysis- or kidney-care-themed phone calls and emails for at least 12 months. Treatment details on the leak site enable convincing pretexting.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.