Subscribe
subscribe customer help contact us faq advertise with us

Veterans

Medical records for 1 million dialysis patients breached in data hack of VA vendor

By
Stars and Stripes
Photo illustration of a hooded person looking at computer screens.

DaVita — a major provider of care for patients with kidney disease — disclosed approximately 1 million medical records were exposed in a cyberattack, including the health information of veterans receiving VA-covered dialysis and lab services in their communities. (Photo illustration by Manuel Garcia)

WASHINGTON — A national dialysis center that contracts with the Department of Veterans Affairs was the target of a ransomware attack breaching veterans medical records containing Social Security numbers, test results and health insurance information.

DaVita — a major provider of care for patients with kidney disease — disclosed approximately 1 million medical records were exposed in the cyberattack, including the health information of veterans receiving VA-covered dialysis and lab services in their communities.

DaVita provided details about patient information potentially compromised in notifications to attorneys general in several states, according to HIPPA Journal, which posts regulatory updates on the Health Insurance Portability and Accountability Act.

For the first quarter of 2025, the VA paid $206 million to DaVita to provide dialysis and lab testing services, according to USASpending.gov, a government website on federal spending, including contracts, grants and loans.

The cyberattack hit DaVita’s own internal computer systems exposing some sensitive information from VA patient records, the VA said.

Patient names, images of checks and tax identification numbers might have been exposed in some of the patient files, DaVita said in an announcement.

“Throughout our response to this matter, patient care delivery has continued. At this time, all major network servers and systems that were impacted have been restored in a secure manner,” the company said.

Neither the VA nor DaVita would discuss the scope of the cyberattack or the number of veterans’ records accessed.

“Currently, forensic investigators and the FBI continue their work to determine the extent of the breach,” the VA said in a written statement.

DaVita provides dialysis and lab services for patients with kidney failure who typically require up to three treatments a week, according to the company.

The majority of VA patients with end-stage renal disease — or kidney failure — receive their dialysis and lab tests from community providers, the VA said. Approximately 80% of VA patients received their treatment from community health care providers in fiscal 2021 and 2022, the VA said.

End-stage renal disease is more common in veterans than in the general population and requires dialysis or a kidney transplant. About 13,000 new cases are diagnosed each year, the VA said.

DaVita Inc. is one of the nation’s largest providers of outpatient dialysis treatments and lab testing services, according to the Securities and Exchange Commission. It processes more than 21 million lab specimens yearly for kidney dialysis patients. DaVita operates more than 2,675 outpatient dialysis centers in 43 states.

The data breach affects records of veterans who receive their dialysis and related lab services through the VA Veteran Community Care Program, according to VA.

Overall, the VA cares for about 600,000 veterans with chronic kidney disease, which develops when the kidneys are damaged and unable to properly filter waste and fluids from the blood. Dialysis filters toxins from the body when the kidneys no longer function properly.

Demand for kidney dialysis and testing services is growing, and the agency has limited capacity, according to the VA. One in seven Americans is affected by kidney disease, but it impacts approximately one in six veterans, according to the American Kidney Fund.

Veterans impacted by the data breach will be notified and offered up to 12 months of free online monitoring for protection against identity theft through Experian, a national credit rating service, the VA said.

The VA Veteran Community Care Program is a network of private health care providers that serve veterans when the VA cannot provide the health services close to home and in a timely manner.

DaVita first announced the incident this spring in an SEC filing. DaVita said it was targeted in a ransomware attack that had encrypted parts of its network.

VA’s own internal computer systems were not affected in the computer hack, the VA said.

author picture
Linda F. Hersey is a veterans reporter based in Washington, D.C. She previously covered the Navy and Marine Corps at Inside Washington Publishers. She also was a government reporter at the Fairbanks Daily News-Miner in Alaska, where she reported on the military, economy and congressional delegation.

related stories

Sign Up for Daily Headlines

Sign up to receive a daily email of today's top military news stories from Stars and Stripes and top news outlets from around the world.

Sign Up Now