Full Report
The Interlock ransomware gang posted samples from a trove of data it is claiming to have stolen from the company.
Analysis Summary
# Incident Report: DaVita Kidney Dialysis Data Breach by Interlock Ransomware
## Executive Summary
The Interlock ransomware gang breached DaVita, a major kidney dialysis provider, resulting in the encryption of network segments and the exfiltration of 1.51 terabytes of sensitive patient data. The attack caused operational disruptions, though contingency plans allowed critical dialysis care to continue. The threat actor publicized the patient information on their leak site, confirming a significant compromise of Protected Health Information (PHI).
## Incident Details
- Discovery Date: Approximately two weeks prior to the public confirmation of operational impact.
- Incident Date: Occurred sometime before DaVita's SEC filing two weeks prior to the public data posting (Thursday morning).
- Affected Organization: DaVita
- Sector: Healthcare (Dialysis Services)
- Geography: Global (Operates in the U.S. and 13 other countries)
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly stated, but occurred prior to the operational impact notification.
- Vector: Not explicitly stated, implied to be a successful ransomware deployment.
- Details: Attack led to the encryption of parts of the network, impacting operations.
### Lateral Movement
- Details: Not explicitly detailed, but necessary to facilitate the exfiltration of 1.51 TB of data.
### Data Exfiltration/Impact
- Date/Time: Data was posted on the dark web leak site on Thursday morning.
- Details: 1.51 terabytes of data, including sensitive patient information from dialysis treatments, was stolen and subsequently leaked.
### Detection & Response
- Detection: The company detected the network encryption and operational impact.
- Response actions taken: DaVita implemented contingency plans to ensure the continuation of critical patient care (kidney dialysis). A full investigation was initiated, and the company planned to notify affected parties as appropriate.
## Attack Methodology
- Initial Access: Not specified (typical of these reports).
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Implied necessary to access and collect 1.51 TB of data.
- Collection: 1.51 TB of data related to dialysis patients was collected.
- Exfiltration: Data was exfiltrated for double-extortion, culminating in a public posting on the threat actor's leak site.
- Impact: Network encryption severely impacted operations, alongside the public exposure of PHI.
## Impact Assessment
- Financial: Not disclosed, but the SEC filing suggests operational disruption.
- Data Breach: 1.51 TB of data stolen, confirmed to contain sensitive patient information pertaining to dialysis treatments.
- Operational: Encryption impacted parts of the network, requiring contingency plans to maintain essential life-saving dialysis services for approximately 281,100 patients globally.
- Reputational: Significant as sensitive patient data was publicly posted by the ransomware gang.
## Indicators of Compromise
- Network indicators: None provided (URLs/IPs were not present in the text).
- File indicators: None provided.
- Behavioral indicators: Ransomware encryption activity leading to operational degradation. Posting of stolen data on a known dark web leak site associated with the Interlock group.
## Response Actions
- Containment measures: Implied by the fact that the company was able to maintain operations through contingency planning.
- Eradication steps: A full investigation is underway.
- Recovery actions: Not fully detailed, but recovery efforts are ongoing following network encryption.
## Lessons Learned
- Resilience in Essential Operations: DaVita successfully maintained critical patient care delivery (dialysis) despite network encryption through contingency planning.
- Visibility Gap: Attackers achieved significant data exfiltration (1.51 TB) prior to or concurrent with the encryption phase, indicating potential gaps in network monitoring or segmentation.
## Recommendations
- Review and strengthen segmentation controls to limit lateral movement following initial access.
- Enhance monitoring capabilities specifically targeting large-scale data staging and exfiltration activity.
- Conduct thorough testing of contingency and downtime procedures specifically tailored for data exfiltration scenarios (double extortion preparedness).
- Proactively engage with vendors and partners to raise awareness regarding current threats, as suggested by DaVita.