DaVita ransomware breach exposes 2.7M patients via MOVEit supply chain attack. Learn about the data exposure & healthcare security implications.

Continue reading
In a stark illustration of healthcare’s third-party vulnerability, a ransomware attack exploiting the pervasive MOVEit Transfer vulnerability has compromised the protected health information (PHI) of nearly 2.7 million patients of DaVita Inc., a leading U.S. kidney care provider. The breach, originating not within DaVita's own infrastructure but at its communications vendor Welltok, Inc., underscores the systemic risk posed by software supply chains and the enduring threat from the Clop ransomware group’s 2023 campaign.
DaVita, which operates a network of over 2,800 dialysis facilities and serves approximately 244,000 patients, was not directly compromised. Instead, the breach vector was its third-party service provider, Welltok, Inc., which delivers patient engagement and communication software to numerous healthcare entities.
The incident is a direct consequence of the mass-exploitation of zero-day vulnerabilities (CVE-2023-34362, CVE-2023-35036) in Progress Software’s MOVEit Transfer secure file-transfer tool in May 2023. Welltok utilized this platform, and its systems were breached during the wide-scale campaign orchestrated by the Clop (aka Cl0p) ransomware gang. The data pertaining to DaVita’s patients, exfiltrated during that event, has now been leveraged by a second threat actor, RansomHub, which is reportedly monetizing the previously stolen dataset.
The attack pathway demonstrates a classic software supply chain compromise:
The exposed data constitutes a high-value payload for cybercriminals due to its comprehensiveness and sensitivity, which facilitates identity theft, targeted phishing (smishing/vishing), and insurance fraud. According to filings and notifications, the compromised information includes:
The combination of SSNs and specific medical records creates a potent risk for affected individuals, as this information is perennial on dark web markets and is not easily changed, unlike a compromised credit card number.
Welltok, as the data processor, began notifying affected organizations and individuals in April 2024, nearly a year after the initial intrusion. This delay is attributed to the complex process of identifying, categorizing, and validating the impacted data across its vast client portfolio.
DaVita reported the breach to the U.S. Department of Health and Human Services (HHS) as required by the Health Insurance Portability and Accountability Act (HIPAA). The incident is listed on the HHS breach portal as impacting 2,700,000 individuals.
In compliance with standard post-breach protocols, Welltok is offering affected individuals 24 months of complimentary credit monitoring and identity theft protection services through CyEx.
The DaVita/Welltok incident is not an outlier but a critical node in one of the most significant cyber campaigns in recent history. The MOVEit exploitation campaign has impacted over 2,700 organizations and 90 million individuals globally, spanning finance, energy, and most acutely, healthcare.
This event reinforces three critical truths for the healthcare sector:
For Affected Individuals:
For Healthcare Organizations & Infosec Leadership:
The DaVita breach is a sobering testament to the interconnected and persistent nature of modern cyber threats.
For the healthcare industry, where the protection of human well-being is directly linked to data security, building resilience requires a holistic strategy that looks far beyond organizational perimeter defenses. The future of healthcare cybersecurity depends on forging a resilient, transparent, and vigilant ecosystem that can weather the relentless evolution of the ransomware threat.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation