Laptop containing players’ medical records was stolen from Washington trainer – CBSSports.com
The NFL confirmed in a statement on Wednesday that a laptop containing the medical data of NFL players was stolen at the NFL scouting combine.
Per a report from Deadspin, the car of an athletic trainer that works for the Washington Redskins was broken into, and the car had inside it a “backpack was a cache of electronic and paper medical records for thousands of players, including NFL combine attendees from the last 13 years.” The NFLPA alerted the players of the theft in a memo last month.
In that memo, NFLPA Executive Director DeMaurice Smith stated that the PA had contacted and is working with the United States Department of Health and Human Services (HHS) regarding the matter. It is likely that the NFLPA and HHS are investigating how much legal responsibility the NFL (and the Washington franchise) bears for this theft, as well as whether any federal and local medical privacy laws were violated.
As Deadspin noted, companies that have previously stored private medical information on unencrypted computers that were later stolen have previously been aggressively pursued by the HHS under the Health Insurance Portability and Accountability Act (HIPAA).
Via Deadspin, here is the NFL’s statement on the matter:
Once we became aware of the theft, we promptly worked with the club and the NFLPA to identify the scope of the issue.
The club is taking all appropriate steps to notify any person whose information is potentially at risk. As the NFLPA memo confirms, the theft of data involves information maintained by one club and no information maintained by any club on the NFL Electronic Medical Records system was compromised and the theft is entirely unrelated to that system.
All clubs have been directed to re-confirm that they have reviewed their internal data protection and privacy policies and that medical information is stored and transmitted on password-protected and encrypted devices; and that every person with access to medical information has reviewed and received training on the policies regarding the privacy and security of that information.
We are aware of no evidence that the thief obtained access to any information on the computer that was stolen nor aware that any information was made public.
Also via Deadspin, Washington issued a statement on the matter:
The Washington Redskins can confirm that a theft occurred mid-morning on April 15 in downtown Indianapolis, where a thief broke through the window of an athletic trainer’s locked car. No social security numbers, Protected Health Information (PHI) under HIPAA, or financial information were stolen or are at risk of exposure.
The laptop was password-protected but unencrypted, but we have no reason to believe the laptop password was compromised. The NFL’s electronic medical records system was not impacted.
The team immediately notified local law enforcement of the theft and has cooperated with its investigation. The team is working with the NFL and NFLPA to locate and notify players who may have been impacted. The team is also taking steps to prevent future incidents of this nature, including by encrypting all laptops issued to athletic trainers and other team personnel and through enhanced security training.
This is the second consecutive offseason the NFL has had to deal with the breach of private medical information of players. Last summer, a hospital in south Florida leaked the medical records of Giants defensive end Jason Pierre-Paul to ESPN after Pierre-Paul was treated for burns and other injuries he sustained in a fireworks accident.
The latest breach is obviously much larger in scale, and potentially much more serious in nature.