A ransomware attack on Denver-based DaVita, Inc. (DaVita), a dialysis and kidney care provider, could affect thousands of patients in the U.S. and abroad.

DaVita is One of the Largest Kidney Care Providers

DaVita is the second largest provider of kidney care services in the United States (after Fresenius Medical Care), operating 2,657 outpatient treatment centers that provide dialysis to kidney disease patients. The company reported annual revenue that surpassed $12.8 billion in 2024.

It also operates 509 outpatient centers in 13 countries, including Brazil, Chile, Columbia, Ecuador, Germany, Malaysia, Poland, Portugal, Saudi Arabia, Singapore, and the United Kingdom. DaVita also provides home health dialysis.

DaVita Response Protocols

DaVita disclosed the cyberattack in a Monday filing with the Securities and Exchange Commission (SEC). According to the Form 8-K filing, it suffered a ransomware attack on Saturday, April 12, that encrypted parts of its network and impacted some of its operations.

“Upon discovery, we activated our response protocols and implemented containment measures, including proactively isolating impacted systems.”

The attack and response efforts have adversely impacted some operations.

“We have implemented our contingency plans, and we continue to provide patient care. However, the incident is impacting some of our operations, and while we have implemented interim measures to allow for the restoration of certain functions, we cannot estimate the duration or extent of the disruption at this time.”

Although DaVita reports that it continues to provide care, some believe there’s a strong chance patient care will likely be affected, given the critical and time-sensitive nature of kidney care.

The incident is so recent that the facts are still unfolding. DaVita noted in its SEC report that it is investigating, but “the full scope, nature, and potential ultimate impact on the Company are not yet known.” It has not posted a security incident report on its website nor filed a breach report with the U.S. Department of Health and Human Services (HHS).

Large Healthcare Providers are Targeted for Cyberattacks

The DaVita incident reminds us that large healthcare providers are attractive and lucrative targets for hackers. The disruption to operations and the critical nature of patient care place the provider in a precarious position, requiring it to balance patient services with response strategies.

DaVita holds a vast amount of protected health information (PHI) for hundreds of thousands of patients. Medical identity information continues to be the most valuable on the black market because it can be used for insurance fraud and prescription drugs.

Before this latest incident, DaVita has reported at least three large health data breaches to HHS and state regulators. The most recent one, in July 2024, was an unauthorized disclosure incident involving a network server that affected 67,443 individuals. It was caused by DaVita’s previous use of online tracking pixels on its patient portal and mobile applications. A class action lawsuit followed, and ultimately, DaVita settled the case for $3.8 million.