The Washington Redskins confirmed to NFL Media on Wednesday that confidential player data was put at risk for compromise after a laptop computer belonging to a Redskins athletic trainer was stolen in April.
In a statement, the Redskins said a laptop containing player data was stolen from a Redskins trainer’s locked car on April 19. The laptop was password-protected, but unencrypted. However, the Redskins stated they “have no reason to believe the laptop password was compromised.” In addition, the team said the NFL’s electronic medical records system was not impacted by the theft.
“No social security numbers, Protected Health Information (PHI) under HIPAA (Health Insurance Portability and Accountability Act), or financial information were stolen or are at risk of exposure,” the Redskins stated.
“The team immediately notified local law enforcement of the theft and has cooperated with its investigation,” the Redskins said. “The team is working with the NFL and NFL Players Association to locate and notify players who may have been impacted. The team is also taking steps to prevent future incidents of this nature, including by encrypting all laptops issued to athletic trainers and other team personnel and through enhanced security training.”
The NFLPA declined to comment on the matter.
Deadspin.com first reported the incident.
In a response from the league obtained by NFL Media Insider Ian Rapoport, the NFL said it’s working with the NFL Players Association and the Redskins to understand the issue. The NFL also maintained it isn’t aware of private information from the stolen computer being made public.
Here’s the full statement from the NFL regarding the incident:
Once we became aware of the theft, we promptly worked with the club and the NFLPA to identify the scope of the issue.
The club is taking all appropriate steps to notify any person whose information is potentially at risk. As the NFLPA memo confirms, the theft of data involves information maintained by one club and no information maintained by any club on the NFL Electronic Medical Records system was compromised and the theft is entirely unrelated to that system.
All clubs have been directed to re-confirm that they have reviewed their internal data protection and privacy policies and that medical information is stored and transmitted on password-protected and encrypted devices; and that every person with access to medical information has reviewed and received training on the policies regarding the privacy and security of that information.
We are aware of no evidence that the thief obtained access to any information on the computer that was stolen nor aware that any information was made public.