In late April, the NFL recently informed its players, a Skins athletic trainer’s car was broken into. The thief took a backpack, and inside that backpack was a cache of electronic and paper medical records for thousands of players, including NFL Combine attendees from the last 13 years. That would encompass the vast majority of NFL players, and for them, it’s a worrying breach of privacy; for the NFL, it’s potentially a costly violation of medical privacy laws.
Last month the league alerted the players’ union to the theft. Deadspin has obtained an email sent on May 27th by NFLPA Executive Director DeMaurice Smith to each team’s player representatives:
Men,
It has come to our attention that the backpack belonging to a Washington Redskins’ athletic trainer, was stolen from a car following a break-in. We have been advised that the backpack contained a password protected, but unencrypted, laptop that had copies of the medical exam results for NFL Combine attendees from 2004 until the present, as well as certain Redskins’ player records. We have also been advised that the backpack contained a zip drive and certain hard copy records of NFL Combine medical examinations as well as portions of current Redskins’ player medical records. It is our understanding that our Electronic Monitoring System prevented the downloading of any player medical records held by the team from the new EMR system.
The NFLPA has consulted with the U.S. Department of Health and Human Services regarding this matter. The NFLPA also continues to be briefed by the NFL on how they intend to deal with both the breach by a club employee, the violation of NFL and NFLPA rules regarding the storage of personal data, and what the NFL intends to do with respect to notifying those who may be affected. We will keep you apprised of what we hear from the team and League.
All inquiries regarding this matter should be directed to the NFL Management Council lawyers (212-450-2000) and/or the Washington Redskins (703-726-7000).
Thank you,
De
The circumstances of the car break-in are unclear, and the players whose medical records were stolen haven’t been informed whether the NFL believes the thief knew what was in the backpack or how to get around the password protection. (The hard copies of the records, obviously, have no protection.) In terms of the NFL’s legal liability—the breach appears to be the NFL’s legal responsibility rather than the Skins’, and we’re told the league is handling investigation of the incident—the final destination of the records doesn’t matter.
Though it was a Washington club employee whose copies were stolen, the records are those of attendees of the NFL Combine. It’s widely understood that the Combine, though operated by a private company, is a league event, involving prospective league employees, and the records are those of current and former players from among all the NFL’s teams. It is thus likely that it is the NFL’s responsibility to protect those records, and the NFL’s obligation to make sure that anyone who has access to them observes federally and locally required medical privacy standards.
Storing data on an unencrypted laptop appears to fail those standards. The U.S. Department of Health and Human Services has vigorously pursued violations under the Health Insurance Portability and Accountability Act (HIPAA) against companies with unencrypted computers, containing medical records, that were stolen from employees. Here are four such cases from recent years in which HHS reached settlement agreements, ranging from five to seven figures, in scenarios like this.
From one release:
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
The NFL is unlikely to be a “covered entity,” so HIPAA would probably not apply directly to the league. Instead, any potential litigation would likely take place on the state level, where courts routinely cite HIPAA standards. There has long been a debate about the nature of professional athletes’ medical exams (sports leagues maintains they are “employment records”) but HHS has made clear that athletes’ medical records are as legally protected as anyone else’s.
If this comment is suggesting that the records of professional athletes should be deemed “employment records” even when created or maintained by health care providers and health plan, the Department disagrees. No class of individuals should be singled out for reduced privacy.
That the NFLPA is consulting with HHS is likely a sign that the union considers this a severe privacy violation not just of the league’s rules, but of the law.
The NFLPA declined comment for this story. The Skins did not respond to a request for comment. We were awaiting comment from the NFL at the time of publication and will update with their response.