Interlock ransomware group claims it stole 20TB of sensitive patient data from DaVita Healthcare. While the group has…

Interlock ransomware group claims it stole 20TB of sensitive patient data from DaVita Healthcare. While the group has leaked 1.5TB; it is offering the rest of the data for a price which includes the personal details of millions of patients.

Patients receiving critical kidney dialysis treatment from DaVita, a major healthcare provider, are now facing the possible exposure of their sensitive information. A group of cyber criminals from the Interlock ransomware has claimed responsibility for the cyberattack on the company and has begun posting what they say is stolen patient data on their dark web leak site.

This development comes just two weeks after DaVita, which operates a vast network of over 2,500 dialysis centres across the United States and hundreds more in 13 other countries, informed the US Securities and Exchange Commission about the ransomware attack, after which the company’s share fell by 3%, as reported by Investopedia.

As Hackread.com previously reported, the attack, which occurred around April 12th, involved the encryption of parts of DaVita’s computer systems, causing disruptions to their internal operations. At the time of their initial disclosure, DaVita stated they were implementing contingency plans to ensure uninterrupted patient care, a crucial service for individuals with end-stage renal disease who require dialysis multiple times a week to survive.

Now, Interlock, a relatively new ransomware group that began listing victims on its leak site in October 2024, is claiming to have stolen a massive 1.51 terabytes of data from DaVita. They have already posted samples of this alleged stolen information, raising serious concerns about the privacy of DaVita’s patients.

Screenshot from the Interlock Ransomware’s dark web leak site (Image credit: Hackread.com)

DaVita has acknowledged the dark web posting and stated they are in the process of thoroughly reviewing the data involved. “We are disappointed in these actions against the healthcare community and will continue to share helpful information with our vendors and partners to raise awareness on how to defend against these attacks in the future,” their spokesperson stated.

The potential scale of the breach is significant considering that DaVita served approximately 281,100 patients worldwide through its extensive network of over 3,000 outpatient dialysis centres in 2024.

Cybersecurity experts, including Paul Bischoff from Comparitech, note that Interlock has been linked to a growing number of confirmed attacks since its emergence. It is worth noting that this group has previously claimed responsibility for a cyberattack on Texas Tech University Health Sciences Centre, an incident that reportedly compromised the medical information of over 530,000 individuals.

This track record emphasises the potential severity of the current situation for DaVita and its patients. The full scope of the compromised data and the potential consequences for affected individuals are yet to be determined as DaVita continues its investigation.

Paul Bischoff, Consumer Privacy Advocate at Comparitech, commented on the latest development, stating, “Interlock began listing victims in October 2024, demanding ransom for decrypting systems and deleting stolen data. We’ve tracked 13 confirmed and 13 unconfirmed attacks by the group and in 2025 alone, there have been 17 confirmed ransomware attacks on US healthcare companies, with 80 more unconfirmed.”

“As seen with DaVita, these attacks can severely disrupt patient care and lead to long-term data privacy issues. In 2024, nearly 25.7 million records were breached across 160 healthcare ransomware incidents,” Paul revealed.

Interlock Ransomware Say It Stole 20TB of DaVita Healthcare Data

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-34g7-pg9j-pxgp: Moodle allows IDOR when accessing the cohorts report

A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3637

**Moodle's mod\_data edit/delete pages pass CSRF token in GET parameter**

Low severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.3.12

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-9vc3-vm42-fjhm: Moodle's mod_data edit/delete pages pass CSRF token in GET parameter

A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3645

**Moodle has an IDOR in messaging web service which allows access to some user details**

Moderate severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-pj96-xh2w-fgqx: Moodle has an IDOR in messaging web service which allows access to some user details

A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.

GHSA-hxgg-4qww-85ph: Moodle has reflected Cross-site Scripting risk in policy tool

A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-m8qh-hx4c-h9hr: Moodle has a CSRF risk in Brickfield tool's analysis request action

A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3640

**Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users**

Moderate severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-6g5x-h5x7-q4mq: Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3641

**Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository**

High severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-c8v6-vxhf-wcrr: Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3642

**Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository**

High severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-m367-445c-2xqr: Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository

A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3635

**Moodle has a CSRF risk in user tours manager that allows tour duplication**

Low severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

Latest News