Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

Advocate Data Breach: The $1 Billion Lawsuit?

Advocate Health Care, a large Chicago-based health system, reported a data breach at one of its subsidiaries in which the theft of four laptops led to over four million compromised patient records. This event marks the second largest healthcare data breach in history, and, to put this into perspective, alone accounted for over 17% of the total number of patient records breached as reported to HHS since it started keeping track in 2009.

5 min read
decorative image of graph - advocate healthcare data breach

As covered in our blog last week, Advocate Health Care, a large Chicago-based health system, reported a data breach at one of its subsidiaries in which the theft of four laptops led to over four million compromised patient records. This event marks the second largest healthcare data breach in history, and, to put this into perspective, alone accounted for over 17% of the total number of patient records breached as reported to HHS since it started keeping track in 2009.

What Happened When Advocate Neglected Encryption Mandates

health care data breach consequences

However, what made the event particularly noteworthy was that Advocate had gone down this road before with a 2009 data breach with a mostly mirrored fact pattern. Despite previous mandates from OCR/HHS to encrypt all portable devices, Advocate neglected to do so. The result? A class action lawsuit that likely will break all data breach records.

My colleague (and self-professed Game of Thrones lover) summed it up the best, “brace yourself: a staggering settlement is coming.” The lawsuit filed last week neglected to disclose some damages that the class is willing to seek, but if we look at some recent data breach class actions, we can very quickly see that an astronomical figure is possible here. For instance, in a lawsuit stemming from a 2009 action involving Stanford Hospital & Clinics, a class representative alleged $20 million in damages for 20,000 exposed patient files. This $1,000/per patient figure is not out of left field – lawsuits across the country in these sorts of actions frequently demand damages in the high three figures range per patient.

$1 Billion Settlement for a Healthcare Data Breach

So, yes, the Advocate data breach could easily break the $1 billion mark via settlement, a number that would reach tobacco company settlement range. This event exemplifies that unfathomable risk that covered entities face in the digital health age. Unfortunately, few providers realize these dangers until it’s too late. As we’ve argued in this column many times, the best risk management strategy starts with a risk assessment. Discover where your patients’ PHI is going, and make sure you’re doing everything in your power to minimize the biggest risks. If you do this, you’re one significant step ahead of the average provider and a few steps farther away from being the next facility to let millions of records of PHI walk out your front door.

Frequently Asked Questions

Find answers to common questions about this topic.

Advocate failed to encrypt portable devices despite previous OCR/HHS mandates requiring encryption of all mobile devices containing PHI. This failure was particularly egregious since they had experienced a similar breach in 2009 with identical circumstances.

Recent healthcare data breach class actions typically demand damages in the high three-figure range per patient, with some cases like Stanford Hospital seeking $1,000 per exposed patient record. These per-patient damages can quickly escalate to massive settlements for large breaches.

Repeat breaches demonstrate a pattern of negligence and failure to implement corrective measures, significantly increasing legal exposure and potential damages. Courts and regulators view subsequent breaches more severely, especially when previous mandates were ignored.

Organizations should conduct comprehensive risk assessments to identify where PHI flows throughout their systems and implement encryption and security controls for the highest-risk areas. This proactive approach helps prevent becoming the next facility with millions of exposed records.

When devices are properly encrypted, stolen data remains unreadable and unusable without authorization keys. This often eliminates the need for extensive breach notifications since the PHI is effectively protected even when physically compromised.

Krishna Kurapati

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

Related Articles

Advocate healthcare encryption problems | healthcare security and data encryption
Best Practices

Advocate Data Breach – Different Year, Same Encryption Problems

In many respects, it has been The Summer of The Data Breach. HHS brought down the hammer on Wellpoint, fining the insurer $1.7 million after discovering the impermissible disclosure of over 600,000 patient records through an unsecured online application. A couple of weeks later OHSU reported a breach of over 3,000 patient records when hospital officials learned that providers were using Google Drive to share patient records in the cloud.

Krishna KurapatiKrishna Kurapati
5 min read
ohsu data breach lacking healthcare it|medical data breach and security
Best Practices

OHSU Data Breach: Where Health IT is lacking

In an interesting piece posted over the weekend at The Health Care Blog, Dr. David Do described a recent reported data breach by the Oregon Health & Science University. The event, which was reported to patients at the end of July, was triggered when OHSU administrators discovered that medical residents were storing patient records in Google Drive, a free, cloud-based document storage platform.

Krishna KurapatiKrishna Kurapati
3 min read
ransomware attack on hospitals and doctors|use secure smartphones to protect against ransomware
Best Practices

Are Smartphones and Texting Helpful During Ransomware Attacks?

Ransomware Attacks are back with a vengeance -this time attacking healthcare facilities who have critical patient data which they cannot afford to lose. Hospitals need patient data quickly without which patient care can become difficult or nearly impossible. Since all patient data is now stored on computers, losing this data is not an option. In just the past few months, the ransomware has attacked millions of computers, locking out their users for days.

Krishna KurapatiKrishna Kurapati
5 min read
5m left