Dive Brief:
- The National Football League informed current and former players via email last month that their medical records had been stolen on April 19, Deadspin reported. The NFL confirmed Wednesday the incident occurred in downtown Indianapolis.
- Despite the NFL stating that social security numbers, financial or protected health information under HIPAA are at risk of public exposure, the incident is a breach of the players' privacy and because the league is legally liable it may face a violation of medical privacy laws.
- A thief allegedly took a backpack from a Washington Redskins athletic trainer's car. The laptop — password protected, but unencrypted — contained a collection medical records from the last 13 years for the majority of players.
Dive Insight:
HHS has been pursuing HIPAA violations against companies that have had unencrypted computers, with medical records stolen from employees.
"Covered entities and business associates must understand that mobile device security is their obligation," HHS' Office for Civil Rights Deputy Director of Health Information Privacy Susan McAndrew told The HIll. "Our message to these organizations is simple: Encryption is your best defense against these incidents."
The Redskins said in a statement they "have no reason to believe the laptop password was compromised." They also stated the NFL's EMR system had not been impacted.
"The team immediately notified local law enforcement of the theft and has cooperated with its investigation," the Redskins stated. "The team is working with the NFL and NFL Players Association to locate and notify players who may have been impacted. The team is also taking steps to prevent future incidents of this nature, including by encrypting all laptops issued to athletic trainers and other team personnel and through enhanced security training."
The NFL said in a statement: All clubs have been directed to re-confirm that they have reviewed their internal data protection and privacy policies and that medical information is stored and transmitted on password-protected and encrypted devices; and that every person with access to medical information has reviewed and received training on the policies regarding the privacy and security of that information.
According to the statement, the league is currently investigating the breach by working with the NFL Players Association and the Redskins to comprehend the problem and does not currently know if any of the stolen private information has been made public.
The May 27 email acquired by Deadspin and sent by NFLPA Executive Director DeMaurice Smith to each player's representatives read: All inquiries regarding this matter should be directed to the NFL Management Council lawyers (212-450-2000) and/or the Washington Redskins (703-726-7000).