Advocate Data Breach – Different Year, Same Encryption Problems

Jan 9, 2026

5 min read

Advocate healthcare encryption problems | healthcare security and data encryption

In many respects, it has been The Summer of The Data Breach. HHS brought down the hammer on Wellpoint, fining the insurer $1.7 million after discovering the impermissible disclosure of over 600,000 patient records through an unsecured online application. A couple of weeks later OHSU reported a breach of over 3,000 patient records when hospital officials learned that providers were using Google Drive to share patient records in the cloud. Finally, just two weeks ago in the event that sent shock waves through both covered entities and business associates, OCR and Affinity reached a $1.2 million settlement after the health plan failed to delete over 300,000 patient records off a digital photocopier it had leased in 2010. A subsequent lessee, CBS, noticed a large amount of leftover sensitive data.

An Unfortunate Healthcare Breach

So, in what can only be described as a suitable event to close out the summer, this Labor Day weekend punctuated this series of noteworthy PHI events with the discovery that Advocate Health lost more than 4 million patient records after a thief stole four computers from the largest Illinois medical group. In an all too familiar fact pattern, the laptops were not encrypted and left every data record vulnerable to compromise.

While the number of compromised patient records is staggering, the biggest shocker of all was that Advocate has dealt with this exact problem in the past. In a 2009 laptop theft, Advocate landed itself on the OCR “Wall of Shame” for the breach which caused 812 patient records to walk out of the door with their thief. In a settlement with federal regulators stemming from this first incident, Advocate agreed to launch an encryption program to protect all future mobile devices from third party access even if stolen. An Advocate spokeswoman indicated that this encryption program had not yet reached the four recently stolen laptops.

Be Proactive with Healthcare Security and Encryption

Though unfortunate, the Advocate case provides us with some valuable lessons. Large healthcare organizations have the resources and IT personnel to roll out protective measures for their patients’ data, but given the organizational complexities and many moving parts even requirements out of a federal lawsuit settlement may take a hospital system years to roll out completely. What’s more, as the number of types of mobile devices increases, huge health systems will find it difficult to remain flexible enough to account for these new challenges.

The change providers must adopt must be more foundational. Instead of trying to patch over security issues constantly, providers should find solutions with security already built into the product infrastructure. Instead of allowing providers to use another device to access PHI, CIOs should first consider how to secure existing processes. Left unaddressed, your facility might find itself headlining the next season of data breaches.

‍

Frequently Asked Questions

Find answers to common questions about this topic.

What are the potential financial consequences healthcare organizations face for data breaches involving unencrypted devices?

Healthcare organizations can face substantial HIPAA fines ranging from hundreds of thousands to millions of dollars, as evidenced by recent settlements like Wellpoint's $1.7 million penalty and Affinity's $1.2 million fine. These financial penalties often increase significantly for repeat offenders or organizations that fail to implement previously agreed-upon security measures.

How long should healthcare organizations expect it to take to fully implement encryption across all devices?

Even with federal settlement requirements, large healthcare organizations may take several years to fully roll out encryption programs across all devices and systems. The complexity of healthcare IT infrastructure and the variety of mobile devices used can significantly extend implementation timelines, making proactive planning essential.

What specific steps should healthcare CIOs prioritize to prevent laptop and mobile device theft incidents?

Healthcare CIOs should prioritize mandatory encryption for all mobile devices before deployment, implement device tracking and remote wipe capabilities, and establish clear policies restricting PHI access to secured devices only. Building security into the infrastructure from the ground up is more effective than trying to patch vulnerabilities after deployment.

Can using cloud services like Google Drive for patient records sharing lead to HIPAA violations?

Yes, using non-HIPAA compliant cloud services like standard Google Drive for sharing patient records constitutes a HIPAA violation, as demonstrated by the OHSU breach affecting over 3,000 patient records. Healthcare providers must use only HIPAA-compliant, Business Associate Agreement-covered cloud solutions for any PHI storage or sharing.

What makes healthcare organizations repeat targets for data breaches despite previous incidents?

Healthcare organizations remain vulnerable due to the high value of medical data on the black market, complex IT infrastructures that are difficult to secure comprehensively, and often slow implementation of security measures across large systems. The combination of valuable data and operational complexity creates ongoing opportunities for cybercriminals.

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

concentra hipaa breach and mobile device encryption|mobile device encryption for healthcare

Best Practices

The Concentra HIPAA Breach and Mobile Device Encryption

In a story covered on about HIPAA Breach in Healthcare IT News this week, the HHS Office for Civil Rights settled with two organizations for just under a combined $2 million this week after it was discovered that both had PHI-containing unencrypted laptops stolen.

Krishna Kurapati

2 min read

8 months ago

decorative image of graph - advocate healthcare data breach

Best Practices

Advocate Data Breach: The $1 Billion Lawsuit?

Advocate Health Care, a large Chicago-based health system, reported a data breach at one of its subsidiaries in which the theft of four laptops led to over four million compromised patient records. This event marks the second largest healthcare data breach in history, and, to put this into perspective, alone accounted for over 17% of the total number of patient records breached as reported to HHS since it started keeping track in 2009.

Krishna Kurapati

5 min read

about 1 month ago

wellpoint hipaa breach alert|wellpoint hipaa breach settlement

Best Practices

HIPAA Breach Alert: WellPoint fined $1.7M

In what is believed to be one of the larger HIPAA breach settlements in recent memory, health insurer WellPoint has agreed to settle with HHS for $1.7M stemming from a 2009 and 2010 incident where WellPoint impermissibly disclosed the ePHI of over 600,000 individuals through an unsecured online application. During its investigation, OCR found that WellPoint had not enacted the appropriate administrative, technical, and physical safeguards mandated under HIPAA.

Krishna Kurapati

1 min read

8 months ago

5m left

An Unfortunate Healthcare Breach

Be Proactive with Healthcare Security and Encryption

Frequently Asked Questions

Related Articles

The Concentra HIPAA Breach and Mobile Device Encryption

Advocate Data Breach: The $1 Billion Lawsuit?

HIPAA Breach Alert: WellPoint fined $1.7M