Thousands of National Football League (NFL) players’ paper and electronic medical records dating from 2004 were stolen from a Washington Redskins’ trainer’s car earlier this year, according to a report from sports and news media site Deadspin.
According to an email obtained by Deadspin that was allegedly sent on May 27 by NFL Players Association (NFLPA) Executive Director DeMaurice Smith to each team’s player representatives, “In late April, the NFL recently informed its players, a [Redskins] athletic trainer’s car was broken into. The thief took a backpack, and inside that backpack was a cache of electronic and paper medical records for thousands of players, including NFL Combine attendees from the last 13 years. That would encompass the vast majority of NFL players, and for them, it’s a worrying breach of privacy; for the NFL, it’s potentially a costly violation of medical privacy laws.”
The Washington Post confirmed the Deadspin report. In a statement, per the Post story, the Redskins team said that the theft occurred mid-morning on April 15 in downtown Indianapolis, “where a thief broke through the window of an athletic trainer’s locked car. No social security numbers, Protected Health Information (PHI) under HIPAA, or financial information were stolen or are at risk of exposure.”
The statement from the Redskins also attested that the team is working with the NFL and NFLPA to locate and notify players who may have been impacted. The statement continued by noting that the laptop was password-protected but unencrypted, but they have no reason to believe the laptop password was compromised. The NFL’s electronic medical records system was not impacted, the statement said.
The Deadspin report further notes that the NFL Combine, “though operated by a private company, is a league event, involving prospective league employees, and the records are those of current and former players from among all the NFL’s teams. It is thus likely that it is the NFL’s responsibility to protect those records, and the NFL’s obligation to make sure that anyone who has access to them observes federally and locally required medical privacy standards.”
The report’s authors mention that because the NFL is not a covered entity under HIPAA, the law wouldn’t apply directly to the league. The U.S. Department of Health and Human Services’ (HHS) website verifies that health plans, healthcare providers, and healthcare clearinghouses are the groups that are covered by the privacy rule, and are subject to penalties if they release medical information without the patient’s consent. Rather, in this case, “any potential litigation would likely take place on the state level, where courts routinely cite HIPAA standards,” according to Deadspin.