DaVita 2025 Data Breach

DaVita Kidney Dialysis Provider Breach (2025): 2.7 Million Patient Records Including Medical Diagnoses, SSN & Financial Data | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

InterlockRansomware / ExtortionMedicalDate of BirthFinancial AccountFull NameHealth InsuranceMedical DiagnosisPhone NumberPhysical Address
High SeverityWebsite / service breach

DaVita Kidney Dialysis Provider Breach (2025): 2.7 Million Patient Records Including Medical Diagnoses, SSN & Financial Data

Kidney care and dialysis provider serving patients in the U.S. and internationally.

Verified by ObscureIQ Intelligence
94/100Breach Risk Index
78Data Value
40Market Recency
338dSince Breach

Breach Intelligence Summary

Entity: DaVita · Actor: Interlock (ransomware group) · Sources: 2 references
Attack: Ransomware / Extortion
Profile: Healthcare provider · Dialysis and kidney care services · Clinical care network · USA / Global
Timeline: Breach (2025-04-12) · Indexed (May 27, 2025) · Year (2025)
Exposure: 2.7M records · 9 fields: Date of Birth, Financial Account, Full Name, Health Insurance, Medical Diagnosis, Phone Number, Physical Address, Social Security Number, Tax Id
Status: Confirmed

Executive Summary

DaVita discovered a ransomware attack on April 12, 2025, after intruders accessed its network from around March 24, 2025, encrypting portions of its systems while patient care continued under contingency measures. The Interlock ransomware group claimed responsibility, asserting theft of more than 20 terabytes of data, and began leaking roughly 1.5 TB (about 700,000 files) after ransom negotiations failed. DaVita ultimately reported to federal regulators that 2,689,826 individuals were affected. Exposed data included names, Social Security numbers, dates of birth, addresses, driver’s license and government ID numbers, financial account/card information, health insurance information, medical/diagnosis records, tax identification numbers and images of checks. The breach is cataloged by DataBreach.com and reported to HHS OCR; DaVita has offered affected individuals credit monitoring.

ObscureIQ assessment: Severe risk. Exposure enables identity theft, medical fraud, insurance abuse, and targeted scams exploiting chronic illness, ongoing treatment, or care dependence.

Breach Impact

The attack encrypted parts of DaVita’s network and led to the theft and dark-web leak of protected health information for roughly 2.7 million patients, a chronically ill population for whom exposure of diagnoses, Social Security numbers, financial and insurance data is especially damaging. Beyond operational disruption and remediation costs, the breach exposes patients to lasting medical-identity and financial fraud risk, erodes patient trust, and creates significant regulatory and litigation exposure for the company.

About DaVita

DaVita Inc. is a Denver-based, publicly traded company (NYSE: DVA) and one of the largest kidney-care and dialysis providers in the world, operating a network of outpatient dialysis centers across the United States and internationally. It delivers chronic in-center and home dialysis, related laboratory services, and integrated kidney-care programs, maintaining long-term clinical relationships with hundreds of thousands of patients living with kidney disease.

Why They Hold Your Data

Dialysis and kidney-care networks collect highly sensitive patient identity, contact, insurance, billing, scheduling, and treatment records across chronic-care and clinical operations.

Recent Developments

DaVita continues to operate as a major public dialysis provider. Following the April 2025 ransomware attack it disclosed the incident in an SEC 8-K filing, restored affected systems, and reported the breach to the U.S. Department of Health and Human Services, which lists 2,689,826 individuals affected, making it one of the largest U.S. healthcare breaches of 2025. DaVita began notifying affected individuals in August 2025, offered credit monitoring, and faces multiple class-action lawsuits arising from the incident.

Data Points Exposed

9 verified field types
Date of Birth High
Financial Account
Full Name High
Health Insurance
Medical Diagnosis Critical
Phone Number
Physical Address High
Social Security Number Critical
Tax Id

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Medical identity fraud and insurance abuse using diagnosis and health-insurance data
  • Identity theft and synthetic identity construction using SSN, DOB, driver’s license and government ID
  • Financial fraud using exposed financial account/card information and check images
  • Extortion and targeted scams exploiting chronic-illness and treatment status
  • Targeted phishing and vishing using name, phone and address
  • Doxxing and physical targeting from exposed home addresses
Threat vectors:
  • Medical extortion, insurance fraud & discrimination
  • Full identity theft & synthetic identity fraud
  • Financial account & payment fraud
  • Name-based social engineering
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat
  • Profile enrichment

Threat Actor: Interlock (ransomware group)

Interlock (ransomware group)
Ransomware / Extortion

Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware / Extortion.

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.

Frequently Asked Questions

What happened in the DaVita breach?

DaVita discovered a ransomware attack on April 12, 2025, after intruders accessed its network from around March 24, 2025, encrypting portions of its systems while patient care continued under contingency measures. The Interlock ransomware group claimed responsibility, asserting theft of more than…

What data was exposed?

Verified fields include Date of Birth, Financial Account, Full Name, Health Insurance, Medical Diagnosis, Phone Number, Physical Address, Social Security Number, Tax Id.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation