20TB of DaVita healthcare data allegedly stolen

Interlock ransomware claims responsibility for 20TB DaVita data breach

The ransomware group Interlock has claimed responsibility for a cyberattack on DaVita, one of the largest healthcare providers in the United States. The group alleges that it stole more than 20 terabytes of sensitive data and has already begun leaking some of it online to pressure the company into paying a ransom.

A high-profile healthcare target

DaVita is a Fortune 500 company based in Denver that provides dialysis treatment to millions of patients across the United States and internationally. With thousands of outpatient clinics and extensive data infrastructure, DaVita holds large volumes of personal and medical information, making it a prime target for cybercriminals.

According to Interlock, the stolen data includes internal communications, employee records, legal files, patient details and backup files. While the full scope of the breach has not been independently confirmed, the initial leaks appear to be legitimate and suggest significant exposure.

This is not the first time the healthcare sector has faced serious data breaches. Earlier incidents include the largest healthcare data breach in history and a cyberattack on a major US blood center, both of which exposed critical patient and operational data. Healthcare organisations remain a prime target for hackers due to the high value of medical information and the urgency of medical operations.

A shift toward data extortion

Interlock is a relatively new player in the ransomware ecosystem and operates using a double extortion model. This approach focuses less on encrypting systems and more on exfiltrating data. Victims are threatened with public data leaks if they refuse to pay.

This tactic creates intense pressure on organisations like DaVita, which must consider not only financial damage but also the legal and ethical consequences of leaked patient information. According to statements published on Interlock’s leak site, the group attempted to initiate negotiations with DaVita but received no response. As a result, they began releasing portions of the data.

Why healthcare data is so valuable

Breaches involving healthcare providers are especially damaging because of the nature of the data involved. Unlike passwords or credit card numbers, medical histories and personal health records cannot simply be changed. This information is highly valuable on dark web markets and can be used in identity theft, insurance fraud or targeted scams. If you want to learn more about what the dark web is and how it works, you can read our full guide here.

Cyberattacks on the healthcare sector have increased significantly in recent years. Authorities such as the U.S. Department of Health and Human Services have warned that hospitals and medical service providers are facing rising threats due to their dependence on digital systems and the critical nature of their work.

DaVita’s current stance

At the time of writing, DaVita has not publicly confirmed that a breach occurred. The company has acknowledged the claims and stated that it is actively investigating the situation in collaboration with cybersecurity experts and law enforcement.

If the breach is verified, DaVita may face legal consequences under U.S. regulations such as the Health Insurance Portability and Accountability Act (HIPAA), which requires strict safeguards for handling patient data.

A growing risk for critical infrastructure

The DaVita incident highlights a broader trend of ransomware targeting critical sectors. Attackers are increasingly moving away from broad, indiscriminate campaigns and focusing on organisations where the stakes are high and the data is sensitive.

Companies that handle critical infrastructure or personal data must invest in comprehensive cybersecurity strategies. This includes regular employee training, access controls, segmented networks and well-practiced incident response plans. Preparing in advance is the best way to reduce risk when facing increasingly aggressive ransomware groups.