2.7 Million Dialysis Patients Had Their Data Stolen, What Startups Can Learn

This is a cautionary tale for founders and GRC leads: DaVita, a major kidney dialysis provider, was hit by a ransomware attack that compromised the records of up to 2.7 million individuals, including medical, financial, and personal data. The breach didn’t stop them treating patients, but it cost them just over £10 million in Q2 2025 and shook confidence in healthcare data security.

Let’s unpack what happened and, more importantly, what your startup can do to make sure this doesn’t happen to you.

Why the DaVita Breach is a so Important

The ransomware group dubbed “Interlock” gained access to DaVita’s lab database between March 24 and April 12, 2025. The attackers exfiltrated around 1.5 TB of data (nearly 700,000 files) and encrypted parts of the network. Sensitive data, including names, Social Security numbers, insurance, clinical results, tax IDs, and even cheque images were exposed.

It’s important to note in situations like these that it’s not just an embarrassment to the company, but it’s also a major threat to future security. Information like this can be used to create individual, specifically targeted, and highly convincing phishing attacks which are often incredibly difficult to protect against.

What It Taught Us

• Operational resilience isn’t enough: DaVita managed to keep treating patients at great difficulty, but the data fallout will affect them for years.

• We need to detect and prevent the data being exfiltrated, not just the bad guys getting in.

• Financial and legal fallout: The incident cost around £10 million in remediation, with £9.25 million for admin and recovery plus £750 thousand in additional patient-care costs.

What Startups Should Do Now

1. Assume Exfiltration, Not Just Encryption

Treat any compromise as if data is already gone. Monitor outbound data, not just locked files.

2. Zero-Trust and Segmented Access

Limit access to critical systems. Even internal tools should have strong access segmentation. Vet service vendors thoroughly.

3. Backup Strategically

Use 3-2-1 backups, include air-gapped copies, and test restores regularly. Remember backups might be an attacker’s target.

4. Layered Detection and Logging

Deploy XDR tools, log key events, alert on anomalies like mass file access or unexpected privilege escalation, even within SaaS environments.

5. Multi-Factor Authentication Everywhere

No weak links. Use MFA across all systems and especially in admin, lab, or remote-access tools.

6. Phishing-Resistant Culture

Run regular phishing simulations that include ransomware lures. Use real examples (e.g. “lab test results attached”) for relevance.

7. Incident Response and Tabletop Exercises

Document and test your response plan. Cover both operational continuity and communications (including breach notification). Know who does what,

when.

8. Encrypt Data in Motion and at Rest

Encryption alone won’t stop exfiltration, but it raises the bar. Make encryption standard for sensitive datasets, especially PHI.

9. Engage Third-Party Forensics Early

If you are breached, bring forensic experts and law enforcement on board fast. Quick containment limits damage, both financial and reputational.

In Our Experience

From working with startups, We’ve seen plenty of small or mid-sized businesses underestimate how tempting their data is to attackers. That moment when you think “we’ll add security later” often becomes “we wish we had added it sooner.” The DaVita breach shows that even companies with life-critical operations can be blindsided, and that attackers exploit gaps you didn’t know existed.

Closing reflection

Building security doesn’t mean adding layers of complexity, it means building smart defaults that grow with you. If you’d like help mapping your incident response readiness, testing phishing defences, or designing simple detection workflows, We’re here. At Steel FYI we make security feel like a trusted sidekick, not a scary visitor.