As covered in our blog last week, Advocate Health Care, a large Chicago-based health system, reported a data breach at one of its subsidiaries in which the theft of four laptops led to over four million compromised patient records. This event marks the second largest healthcare data breach in history, and, to put this into perspective, alone accounted for over 17% of the total number of patient records breached as reported to HHS since it started keeping track in 2009.
What Happened When Advocate Neglected Encryption Mandates
However, what made the event particularly noteworthy was that Advocate had gone down this road before with a 2009 data breach with a mostly mirrored fact pattern. Despite previous mandates from OCR/HHS to encrypt all portable devices, Advocate neglected to do so. The result? A class action lawsuit that likely will break all data breach records.
My colleague (and self-professed Game of Thrones lover) summed it up the best, “brace yourself: a staggering settlement is coming.” The lawsuit filed last week neglected to disclose some damages that the class is willing to seek, but if we look at some recent data breach class actions, we can very quickly see that an astronomical figure is possible here. For instance, in a lawsuit stemming from a 2009 action involving Stanford Hospital & Clinics, a class representative alleged $20 million in damages for 20,000 exposed patient files. This $1,000/per patient figure is not out of left field – lawsuits across the country in these sorts of actions frequently demand damages in the high three figures range per patient.
$1 Billion Settlement for a Healthcare Data Breach
So, yes, the Advocate data breach could easily break the $1 billion mark via settlement, a number that would reach tobacco company settlement range. This event exemplifies that unfathomable risk that covered entities face in the digital health age. Unfortunately, few providers realize these dangers until it’s too late. As we’ve argued in this column many times, the best risk management strategy starts with a risk assessment. Discover where your patients’ PHI is going, and make sure you’re doing everything in your power to minimize the biggest risks. If you do this, you’re one significant step ahead of the average provider and a few steps farther away from being the next facility to let millions of records of PHI walk out your front door.
Frequently Asked Questions (FAQs)
The Advocate data breach occurred when four unencrypted laptops were stolen from one of Advocate Health Care’s subsidiaries, exposing the personal and medical information of over 4 million patients. At the time, it became the largest healthcare data breach ever reported in the United States.
The breach was considered especially serious because Advocate had previously experienced a similar data breach in 2009 and had been advised to encrypt portable devices. Despite this history and existing encryption mandates, the laptops involved in the later breach were still not encrypted, significantly increasing legal and regulatory scrutiny.
The compromised data included protected health information (PHI) such as patient names, addresses, medical record numbers, dates of birth, and other sensitive healthcare details. Although no evidence of misuse was initially confirmed, the exposure alone created substantial compliance and legal risk.
Following the breach, multiple class-action lawsuits were filed against Advocate Health Care. Plaintiffs alleged negligence and failure to protect patient data, seeking damages that, if aggregated across affected individuals, could reach up to $1 billion, making it one of the most financially significant healthcare data breach cases.
Laptop theft and loss have historically been among the most common causes of large healthcare data breaches, particularly before the widespread adoption of encryption. The Advocate case highlighted how portable devices remain a high-risk vector when encryption and access controls are not enforced.
Key lessons include the importance of:
Encrypting all portable and mobile devices
Regularly reviewing security risk assessments
Enforcing encryption policies consistently across subsidiaries
Treating prior breaches as warnings, not isolated events
The case shows how repeated failures dramatically increase legal exposure.
Encryption ensures that even if a device is lost or stolen, the data remains unreadable and unusable without proper authorization. In many cases, encrypted devices do not trigger breach notification requirements, significantly reducing financial, legal, and reputational damage.
Encryption is critical, but it is not sufficient on its own. Healthcare organizations also need access controls, audit logging, staff training, secure workflows, and continuous risk assessments to prevent breaches and demonstrate compliance.
The Author
Krishna Kurapati
Krishna Kurapati is the Founder and CEO of QliqSOFT. He has more than two decades of technology entrepreneurship experience. Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges using artificial intelligence (AI)-powered digital technologies across the U.S. healthcare system.
