In late April, the NFL recently informed its players, a Skins athletic trainer’s car was broken into. The thief took a backpack, and inside that backpack was a cache of electronic and paper medical records for thousands of players, including NFL Combine attendees from the last 13 years. That would encompass the vast majority of NFL players, and for them, it’s a worrying breach of privacy; for the NFL, it’s potentially a costly violation of medical privacy laws.
Last month the league alerted the players’ union to the theft. Deadspin has obtained an email sent on May 27th by NFLPA Executive Director DeMaurice Smith to each team’s player representatives:
It has come to our attention that the backpack belonging to a Washington Redskins’ athletic trainer, was stolen from a car following a break-in. We have been advised that the backpack contained a password protected, but unencrypted, laptop that had copies of the medical exam results for NFL Combine attendees from 2004 until the present, as well as certain Redskins’ player records. We have also been advised that the backpack contained a zip drive and certain hard copy records of NFL Combine medical examinations as well as portions of current Redskins’ player medical records. It is our understanding that our Electronic Monitoring System prevented the downloading of any player medical records held by the team from the new EMR system.
The NFLPA has consulted with the U.S. Department of Health and Human Services regarding this matter. The NFLPA also continues to be briefed by the NFL on how they intend to deal with both the breach by a club employee, the violation of NFL and NFLPA rules regarding the storage of personal data, and what the NFL intends to do with respect to notifying those who may be affected. We will keep you apprised of what we hear from the team and League.
All inquiries regarding this matter should be directed to the NFL Management Council lawyers (212-450-2000) and/or the Washington Redskins (703-726-7000).
The circumstances of the car break-in are unclear (Update: see Skins’ statement below), and the players whose medical records were stolen haven’t been informed whether the NFL believes the thief knew what was in the backpack or how to get around the password protection. (The hard copies of the records, obviously, have no protection.) In terms of the NFL’s legal liability—the breach appears to be the NFL’s legal responsibility rather than the Skins’, and we’re told the league is handling investigation of the incident—the final destination of the records doesn’t matter.
Though it was a Washington club employee whose copies were stolen, the records are those of attendees of the NFL Combine. It’s widely understood that the Combine, though operated by a private company, is a league event, involving prospective league employees, and the records are those of current and former players from among all the NFL’s teams. It is thus likely that it is the NFL’s responsibility to protect those records, and the NFL’s obligation to make sure that anyone who has access to them observes federally and locally required medical privacy standards.
Storing data on an unencrypted laptop appears to fail those standards. The U.S. Department of Health and Human Services has vigorously pursued violations under the Health Insurance Portability and Accountability Act (HIPAA) against companies with unencrypted computers, containing medical records, that were stolen from employees. Here are four such cases from recent years in which HHS reached settlement agreements, ranging from five to seven figures, in scenarios like this.
From one release:
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
The NFL is unlikely to be a “covered entity,” so HIPAA would probably not apply directly to the league. Instead, any potential litigation would likely take place on the state level, where courts routinely cite HIPAA standards. There has long been a debate about the nature of professional athletes’ medical exams (sports leagues maintains they are “employment records”) but HHS has made clear that athletes’ medical records are as legally protected as anyone else’s.
If this comment is suggesting that the records of professional athletes should be deemed “employment records” even when created or maintained by health care providers and health plan, the Department disagrees. No class of individuals should be singled out for reduced privacy.
That the NFLPA is consulting with HHS is likely a sign that the union considers this a severe privacy violation not just of the league’s rules, but of the law.
The NFLPA declined comment for this story. The Skins did not respond to a request for comment. We were awaiting comment from the NFL at the time of publication and will update with their response.
Update, 3:51 p.m. EDT: An NFL spokesperson sends this statement:
Once we became aware of the theft, we promptly worked with the club and the NFLPA to identify the scope of the issue.
The club is taking all appropriate steps to notify any person whose information is potentially at risk. As the NFLPA memo confirms, the theft of data involves information maintained by one club and no information maintained by any club on the NFL Electronic Medical Records system was compromised and the theft is entirely unrelated to that system.
All clubs have been directed to re-confirm that they have reviewed their internal data protection and privacy policies and that medical information is stored and transmitted on password-protected and encrypted devices; and that every person with access to medical information has reviewed and received training on the policies regarding the privacy and security of that information.
We are aware of no evidence that the thief obtained access to any information on the computer that was stolen nor aware that any information was made public.
Update, 4:28 p.m. EDT: A Skins spokesperson sends this:
The Washington Redskins can confirm that a theft occurred mid-morning on April 15 in downtown Indianapolis, where a thief broke through the window of an athletic trainer’s locked car. No social security numbers, Protected Health Information (PHI) under HIPAA, or financial information were stolen or are at risk of exposure.
The laptop was password-protected but unencrypted, but we have no reason to believe the laptop password was compromised. The NFL’s electronic medical records system was not impacted.
The team immediately notified local law enforcement of the theft and has cooperated with its investigation. The team is working with the NFL and NFLPA to locate and notify players who may have been impacted. The team is also taking steps to prevent future incidents of this nature, including by encrypting all laptops issued to athletic trainers and other team personnel and through enhanced security training.