Kidney dialysis firm DaVita has confirmed that a ransomware gang that breached its network stole the personal and health information of nearly 2.7 million individuals.

DaVita serves over 265,400 patients across 3,113 outpatient dialysis centers, 2,660 in the United States, and 453 centers in 13 other countries worldwide. The company reported revenues of over $12 billion in 2024 and of $3.3 billion for the second quarter of 2025.

In April, the healthcare provider revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that its operations were disrupted after attackers partially encrypted its network over the weekend.

According to a dedicated website with more information regarding the resulting data breach, the attackers gained access to DaVita's network on March 24 and were evicted after the company detected the incident on April 12.

While inside its systems, the threat actors stole data from DaVita's dialysis labs database, which included a combination of personal (e.g., name, address, date of birth, and social security number), health insurance-related, and health (e.g., condition, treatment information, and dialysis lab test results) information.

For some individuals, the stolen information also includes tax identification numbers and, in some cases, images of personal checks.

On Thursday, the Department of Health's Office for Civil Rights updated its breach portal, confirming that DaVita reported a total of 2,689,826 people had their data stolen in the incident.

​Although the kidney dialysis firm hasn't linked the attack to a specific ransomware operation, the Interlock ransomware gang claimed responsibility for the breach in late April.

Interlock also leaked the allegedly stolen data on its dark web portal after negotiations with DaVita had failed, claiming it had stolen roughly 1.5 terabytes of data from the company's compromised systems, or nearly 700,000 files containing what appeared to be sensitive patient records, insurance details, user account information, and financial data.

Almost one month later, on June 18, DaVita also obtained leaked files and confirmed their legitimacy after discovering that some of them had been stolen from its dialysis labs.

A DaVita spokesperson was not immediately available for comment when BleepingComputer reached out earlier today for more details regarding the breach.

The ​Interlock ransomware operation emerged in September 2024, targeting victims worldwide across multiple industries and focusing primarily on healthcare organizations.

Interlock has been linked to ClickFix and malware attacks, during which they deployed a remote access trojan called NodeSnake on the networks of multiple universities in the United Kingdom.

More recently, the cybercrime gang also claimed to have hacked Kettering Health, a healthcare giant with over 120 outpatient facilities and more than 15,000 employees.