Data Breach Notification
,
Data Security
,
Fraud Management & Cybercrime
Interlock Claims to Have 1.5TB of DaVita’s Data as Expenses Mount
DaVita Inc., one of the largest kidney dialysis providers in the world, told regulators that an April cyberattack has cost the company $13.5 million so far and has affected more than one million people in the U.S., and counting. Interlock says it’s behind the data theft and ransomware attack.
See Also: A Modern Approach to Data Security
Cybercriminal gang Interlock on its darkweb site claims to have more than 1.5 terabytes of DaVita’s stolen data. DaVita, in an April filing to the U.S. Securities and Exchange Commission, said the incident also involved ransomware encryption of “certain elements” of its network (see: Ransomware Attack Disrupts Global Dialysis Provider DaVita).
As of Wednesday, several state attorneys general offices – including Massachusetts, Oregon, South Carolina, Texas and Washington – had posted data breach reports DaVita recently filed with those regulators. In total, those five reports reflect more than one million affected patients. The largest impact so far was in Oregon, to which DaVita reported nearly 916,000 affected individuals.
As of Wednesday, the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals did not yet show a report from DaVita related to the recent hacking incident.
In its breach notice, Colorado-based DaVita is told affected individuals that the information compromised in the incident included data in its dialysis labs database.
Compromised information varies by individuals but includes name, address, date of birth, Social Security number, health insurance-related information, other identifiers internal to DaVita, clinical information such as health condition, treatment information and certain dialysis lab test results. For some people, the breached information also included tax identification numbers and images of checks written to DaVita.
DaVita forensics investigation concluded that the incident started on March 24 and continued until the threat actor was blocked from the company’s servers on April 12.
Attack’s Financial Impact
DaVita on Tuesday also told the SEC that the April cyber incident “resulted in a temporary disruption of our operations,” costing the company about $13.5 million in charges during the second quarter.
So far, DaVita said the incident “increased our patient care costs by $1.0 million and general and administrative expenses by $12.5 million to remediate the incident and restore systems with the assistance of third-party cybersecurity professionals. This does not include the impact related to business interruption on our results.”
For the second quarter ended June 30, DaVita reported consolidated revenues of $3.38 billion and net income of $199 million. Operating income was $538 million and adjusted operating income was $551 million, DaVita told the SEC.
“The quarter change was primarily due to costs related to the cybersecurity incident, a gain recognized in the first quarter of 2025 and increased compensation expenses,” DaVita reported.
The company’s SEC filing also warned that an assortment of potential factors could affect DaVita’s future financials including “noncompliance by us or our business associates with any privacy or security laws or any security breach by us or a third-party, such as the recent cybersecurity incident experienced by the company.”
DaVita acknowledged that it faces other risks including “non-compliance or breach involving the misappropriation, loss or other unauthorized use or disclosure of confidential information.”
In an earnings call on Tuesday, Javier Rodriguez, CEO of DaVita, told Wall Street analysts that the financial impact of the cyber incident can be split “into two high-level categories.”
“The first, the discrete costs associated with the incident, such as outside consultants, technology costs, legal costs, etcetera. In the second quarter, those costs were approximately $13 million,” he said.
“The second and more significant category is the impact on treatment volume and revenue per treatment due to lower patient admissions, increased mistreatments and lower expected yield on claims for treatment this quarter, among other things,” Rodriguez said.
But the company said aside from ongoing staffing challenges stemming from lower admissions, “we believe the impact of the cyber event is largely behind us, and there will be limited ongoing effect to adjusted results.”
As for longer-term financial impact involving DaVita’s investments in hardware, software and other technologies to help prevent future data security incidents, Rodriguez told analysts “it’s a marginal cost.”
“At the end of the day, these cybercriminals are quite sophisticated, they keep reinventing themselves,” he said. “And so the corporations and industry has to continue to innovate ourselves. So, we’ve made some investments that we believe to be appropriate and prudent, but I don’t think I would call out anything material.”
DaVita did not immediately respond to Information Security Media Group’s request for additional details about the cyberattack, including the total number of people affected in the U.S. and Interlock’s darkweb claims.