How and Why Interlock Targets the Healthcare Sector
It’s happened again: in recent days, we’ve seen another cyberattack on the healthcare sector, and there’s one name I want you to remember — Interlock.
This group, active since September last year, has gained notoriety for targeting — or at least focusing heavily on — the health and public healthcare sector, in addition to other critical infrastructure. But it’s clear that healthcare organisations are their primary target.
This very recent case, made public this month, is a stark reminder that the healthcare sector remains an attractive target for cybercriminals.
Attacking these kinds of organisations not only gives access to clinical and financial data — it also opens the door to insurance fraud and, ultimately, puts patient safety at risk.
And here’s where I want you to stop and think:
The victim of this attack was DaVita, a large, well-known company with more than 2,600 centres and around 200,000 patients.
If an organisation of that size couldn’t prevent the attack, what do you think could happen to a small or mid-sized clinic that still believes “this could never happen to me”?
For cybercriminals, there’s no such thing as a clinic too big or too small, nor is any ransom too large or too small.
We’ve already seen, in another case, a cybercrime group demanding just €750 to release stolen data.
The DaVita Case: How 20 TB of Data Were Stolen in a Cyberattack
What we know so far is that on 12 April, DaVita detected unauthorised access to its servers, specifically those linked to its laboratory systems.
The breach was identified internally, and the company itself confirmed the incident — although no further details have been shared about how they discovered it.
And that’s unfortunate, because those details could help other clinics strengthen their own defences.
The ClickFix Technique: Advanced Social Engineering in Action
Interlock used a social engineering technique known as ClickFix to gain initial access.
This wasn’t a poorly written mass email — it was something far more sophisticated:
They used legitimate compromised websites to trick users into downloading a malicious file.
The deception lay in making the victim believe they were fixing a technical issue, sometimes even presenting a fake CAPTCHA screen.
Once the file was executed, the attackers had their foot in the door — ready to steal credentials and move through the system as if they owned it.
In this case, the group remained undetected for three weeks, with reports stating the cyber incident began on 24 March 2025.
During that time, they managed to steal around 20 terabytes of data — including medical records, financial information, home addresses… highly sensitive data that can easily be sold on for other criminals to exploit.
One of the most common uses of this type of stolen information is to impersonate patients and commit insurance fraud.
The Serious Consequences of a Cyberattack in Healthcare
When an attack like this happens, the problem isn’t just the initial disruption — it’s everything that follows.
In the healthcare sector, a cyberattack can put lives at risk, lead to fraud, identity theft, reputational damage, and legal action from patients.
And if it’s shown that data protection or security laws weren’t being followed, the result is fines — and in the medium term, loss of patients due to lack of trust.
From my experience working with clinics, I know that most staff won’t go looking for cybersecurity guidance in their free time.
That’s why, as a clinic owner or manager, it’s your responsibility to ensure your team is trained, aware of the risks, and knows how not to fall for these traps.
And training isn’t a one-off task — threats evolve, and cybercriminal groups are constantly looking for new ways to break in.
Imagine This…
You have an employee who, with no bad intentions, sees a message pop up on their screen saying there’s a system issue and they need to follow some steps to “fix it”.
They click, follow the instructions… and without realising, they’ve just granted access to your entire clinic’s network.
That’s exactly how the DaVita incident began — and it’s exactly how a cyberattack could start in any other clinic.
Recommendations to Protect Your Clinic
1. Ongoing Training for Your Team
Train your staff. Giving your team the knowledge to understand cyber threats — and what to do (or avoid) — can prevent your clinic from falling victim to an attack.
2. Practical Tools
Your team should have the tools to spot a scam, respond correctly to suspicious activity, and — most importantly — see cybersecurity as part of their daily role, just like locking the doors at the end of the day.
3. Internal Simulations
Just like fire drills, run phishing simulations or mock incidents to help your staff practise how to respond if they detect something unusual.
4. Refresh Training Every Six Months
Threats evolve — and your team needs to stay up to date with the latest techniques used by attackers.
Essential Technical Measures for Your Network
- Access monitoring. Use tools that log and alert you when someone tries to access your system at unusual hours or from unrecognised locations.
- Network segmentation. If an intruder gets in, they shouldn’t be able to move freely across your entire system without authorisation.
- Close unnecessary ports. Every open port is a potential entry point. (I recommend reading my article on open ports and how to manage them.)
- Engaged technical support. Most clinics have basic IT support — but often not actively involved in prevention or staff training on these risks.
Conclusion
The lesson from this latest cyberattack on the healthcare sector by Interlock is clear:
No clinic is off the radar for cybercriminals.
Prevention cannot wait until an incident happens — because by then, the damage (financial, legal, and reputational) has already been done.
You can start today by strengthening your clinic with:
✅ Continuous training
✅ Clear security protocols
✅ Active technical oversight
Remember: your patients’ safety also depends on your cybersecurity.
Final Thought
Cyberattacks like the one led by Interlock are not isolated events — they’re part of a growing trend that’s hitting clinics and healthcare centres of all sizes.
Staying unprepared is no longer an option.
The good news? You don’t have to face it alone. With the right training, tools, and mindset, your clinic can become a much harder target for attackers.
📚 Recommended Reading
Exposed Ports in Clinics: The Backdoor That Could Cost You a Cyberattack
Learn how something as simple as an open port can give attackers full access — and what to do to close those doors before it’s too late.
Lock the doors well. And the ports, too. Cyber-protect yourself.
