ASHBURN, Va. — A laptop containing the medical records of thousands of NFL players was stolen from the car of a Washington Redskins trainer last month, the team said in a statement on Wednesday, confirming a story first reported by Deadspin.
According to a letter from the NFLPA that was obtained by Deadspin, the stolen medical records were of every player who went through the NFL scouting combine from 2004 through 2016, as well as current Redskins players. The backpack also contained a zip drive and hard copies of the medical records, the letter said.
“It’s very bad,” one league source said of the situation.
According to a Redskins statement, the laptop was taken on April 15 in downtown Indianapolis, where a thief broke the window of a car belonging to one of the team’s trainers and stole his backpack.
The Redskins’ statement indicated there is no reason to believe the laptop’s password was compromised or that the NFL’s electronic medical records system was impacted.
“No social security numbers, protected health information under HIPAA or financial information were stolen or are at risk of exposure,” the team said.
A message with Indianapolis police wasn’t immediately returned. It wasn’t immediately clear why the team trainer was in the city. The scouting combine is held every March in Indianapolis.
The Redskins are working with the NFL and NFLPA to notify players who might be impacted.
“The team is also taking steps to prevent future incidents of this nature, including by encrypting all laptops issued to athletic trainers and other team personnel and through enhanced security training,” the team said.
According to a letter sent by NFLPA executive director DeMaurice Smith to player representatives late last month and obtained by Deadspin, the electronic monitoring system prevented the downloading of any player medical records. The NFLPA also has contacted the U.S. Department of Health and Human Services regarding the situation, Smith said.
NFL spokesman Brian McCarthy said the league has worked closely with the NFLPA since learning of the theft. He reiterated that the data involves information maintained by one club and “no information maintained by any club on the NFL Electronic Medical Records system was compromised, and the theft is entirely unrelated to that system.”
McCarthy said teams have been directed to re-confirm that they have reviewed their internal data protection and privacy policies and that medical information is stored and transmitted on password-protected and encrypted devices. They also want teams to make sure that every person with access to medical information has reviewed and received training on the policies regarding privacy and security of that information.
“We are aware of no evidence that the thief obtained access to any information on the computer that was stolen nor aware that any information was made public,” McCarthy said.