Not even the NFL is safe from the recent rise in stolen healthcare data.
According to a report from Deadspin, a laptop belonging to an athletic trainer for the Washington Redskins was stolen out of the trainer's car after it was broken into. The laptop was located in a backpack, which was taken during the robbery.
Unfortunately for the NFL, the laptop contained electronic and paper medical records for thousands of players, including NFL Combine attendees from the last 13 years.
The theft occurred in mid-April and the laptop was not encrypted, but rather password protected.
An email from DeMaurice Smith, executive director of the NFL Players Association (NFLPA), notified the players of the incident back on May 27. It begins:
Men,
It has come to our attention that the backpack belonging to a Washington Redskins’ athletic trainer, was stolen from a car following a break-in. We have been advised that the backpack contained a password protected, but unencrypted, laptop that had copies of the medical exam results for NFL Combine attendees from 2004 until the present, as well as certain Redskins’ player records. We have also been advised that the backpack contained a zip drive and certain hard copy records of NFL Combine medical examinations as well as portions of current Redskins’ player medical records.
The email would conclude that the NFL has consulted with the U.S. Department of Health and Human Services regarding the incident.
According to the Redskins' official statement, there is no evidence to suggest that any records were accessed following the robbery.
The Washington Redskins can confirm that a theft occurred mid-morning on April 15 in downtown Indianapolis, where a thief broke through the window of an athletic trainer’s locked car. No social security numbers, Protected Health Information (PHI) under HIPAA, or financial information were stolen or are at risk of exposure.
The laptop was password-protected but unencrypted, but we have no reason to believe the laptop password was compromised. The NFL’s electronic medical records system was not impacted.
The team immediately notified local law enforcement of the theft and has cooperated with its investigation. The team is working with the NFL and NFLPA to locate and notify players who may have been impacted. The team is also taking steps to prevent future incidents of this nature, including by encrypting all laptops issued to athletic trainers and other team personnel and through enhanced security training.
It remains to be seen if HHS will legally pursue this incident since the laptop was unencrypted. Whatever the result, it's clear this was an obvious violation of both the players' privacy as well as a possible HIPAA violation.