More Than 168,000 Patients' Information Stolen in Los Angeles County Computer Theft

Friday, March 21, 2014
By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Around 168,500 patients of Los Angeles County medical facilities are receiving letters that their personal data was stolen. According to the Los Angeles Times, on February 5, 2014, an office of Sutherland Healthcare Solutions, which handles billing and collections for the county's Department of Health Services and Department of Public Health, was burglarized and computer equipment stolen.

Click here to read the entire article from the Los Angeles Times.

Stolen Equipment May Have Contained Patients' Personal and Medical Information.

According to an article on Health IT Security, the office was broken into on February 5, 2014. Sutherland notified county workers overseeing compliance with the Health Insurance Portability and Accountability Act (HIPAA) on February 10, 2014, but it was unclear how many patients were affected. On February 25, 2014, Sutherland confirmed that county patients' personal information was stolen.

In all, eight computers and two monitors were stolen. The computers allegedly contained data including patients' first and last names, Social Security numbers, and certain medical and billing information. According to the Los Angeles Times, the computers may also have contained patients' birth dates, addresses and diagnoses. To read the article from Health IT Security, click here.

Breach Under Investigation.

Currently the theft is under investigation. It is not yet known whether the patient data was the intended target of the burglary or whether the data has been used in identity theft since. According to the Los Angeles Times, Sutherland had privacy and security processes, as well as security systems in place at the time of the theft. Los Angeles County authorities are looking into whether this breach could have been prevented.

Warning to HIPAA Covered Entities Regarding Risk Assessments.

HIPAA covered entities are responsible for making sure all personal information is protected. Entities are also required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have safeguards in place to protect this information.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply do not have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months. To learn more on HIPAA risk assessments, click here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs), please visit our website at or call (407) 331-6620 or (850) 439-1001.


Does your office and/or practice have an annual security risk assessment? Do you think risk analyses are important? Please leave any thoughtful comments below.


Sewell, Abby. "Computers with L.A. County Patients' Personal Data Are Stolen." Los Angeles Times. (March 6, 2014). From:

Health IT Security. "Los Angeles County DHS Reveals 168,000 Patient Data Breach." Health IT Security. (March 7, 2014). From:

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Tag Words: corrective action plan (CAP), data security, defense attorney, defense lawyer, Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Insurance Portability and Accountability Act (HIPAA), health law firm, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA lawyer, HIPAA risk assessment, medical history, medical records, Office of Civil Rights (OCR), Omnibus Rule, Omnibus rule compliance deadline, Patient privacy, patient records, privacy, protected health information (PHI), health law firm, the health law firm
"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Like this blog? Add your public comments:

Items in bold indicate required information.