Cyber Incident Victim: DaVita Inc.
Date:
Sep 2022
Location:
United States of America
Summary
DaVita Inc., a major U.S. healthcare provider specializing in kidney care, experienced a data breach where an unauthorized party accessed sensitive consumer information, including names, addresses, Social Security numbers, medical details, and health insurance data. The incident impacted at least 1,072 Texas residents, with potential nationwide implications affecting patients, employees, or both. The compromised data contained protected health information identifiable through personal identifiers, heightening risks of healthcare identity fraud. The company confirmed the breach and notified affected individuals, though the specific cause and full scope remained unclear at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
DaVita Inc., a major Denver-based healthcare provider specializing in dialysis treatment, confirmed a data breach on September 8, 2022, stemming from unauthorized access to sensitive consumer information. The compromised data included names, addresses, Social Security numbers, medical details, and health insurance information. While the exact cause and timeline of the breach remained undisclosed, DaVita identified the exposure through internal discovery that unauthorized parties could access confidential files. The company conducted a review of affected systems to determine the scope of compromised data and identify impacted individuals. Official filings with the Texas Attorney General confirmed 1,072 affected residents in Texas, though the total national impact was not specified but presumed larger given DaVita’s nationwide operations. Notification letters were dispatched to all verified victims on September 8, 2022, advising them of potential risks. The breach potentially affected both patients and employees, though DaVita did not clarify which groups were specifically impacted. With over 200,000 U.S. patients across 2,816 dialysis centers and substantial operations in ten other countries, the incident carried significant scale implications.
The breach exposed protected health information (PHI) as defined by HIPAA regulations due to the inclusion of personal identifiers like Social Security numbers alongside medical data. This combination enabled potential linkage of health records to specific individuals, creating risks for healthcare identity theft. Such theft could allow criminals to fraudulently obtain medical services using victims’ identities, potentially corrupting medical histories with inaccurate treatment details or allergy information. DaVita’s Texas filing explicitly cited compromised medical information and health insurance data but did not disclose whether specific treatment records or dialysis-related details were accessed. The company provided no information about containment measures, forensic investigations, or system vulnerabilities exploited in the attack. As a provider handling end-stage renal disease treatment, DaVita managed highly sensitive patient data where inaccuracies from identity fraud could directly endanger clinical care. The breach notification process represented DaVita’s primary confirmed response action alongside regulatory disclosures to state authorities.