Ransomware attack on DaVita kidney care clinics exposes 2.7M patients
After reporting in April that it was the victim of a cyberattack, a nationwide chain of kidney care and dialysis clinics has confirmed the incident was a ransomware attack that exposed the records of 2.7 million people to hackers.
The number comes from a report to the federal government’s healthcare data breach tracker, which shows DaVita was a victim of a network server breach that led to protected health information being accessed or taken offsite.
DaVita, a publicly traded company, had made the attack known to the public in a filing with the U.S. Securities and Exchange Commission. At the time, the company stopped short of saying the attack involved the deployment of ransomware, but it did say hackers “encrypted certain elements” of its systems.
The company operates more than 2,600 clinics nationwide. In a statement to HealthExec, DaVita denied there was any disruption to patient care, as it worked off paper backup systems.
“We are currently experiencing a cyber incident that has impacted certain systems in our network. We have activated backup systems and manual processes to ensure there's no disruption to patient care,” a company spokesperson wrote. “Our teams, along with external cybersecurity experts, are actively investigating this matter and working to restore systems as quickly as possible."
HealthExec asked if any ransom was demanded by hackers and paid, but the question did not receive a response.
Infamous cybercrime syndicate behind attack
At the time, an investigation was ongoing into what precisely happened and what data was taken. However, ransomware group Interlock, known for its attacks across healthcare and the public sector, claimed credit for the data breach in a post on its dark web marketplace.
The group claimed to have over 683,000 files, totaling 1.5TB. Screenshots of the data dump showed images of patient bills, details on medical procedures and more. Bleeping Computer was the first to report the news.
The blog showed the data trove as available for purchase by anyone, though a price was not listed.
It wasn’t until June that DaVita completed its investigation. The number of people impacted was not reported to the federal government until Aug. 1. The company will be responsible for notifying all impacted individuals, per Health Insurance Portability and Accountability Act (HIPAA) regulations.
According to a separate filing with the SEC, DaVita said it incurred $13.5 million in extra expenses as a result of the incident, split between patient care costs, getting its systems back up and running and improving security.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.