The NFL has reported that thousands of players’ health care records were breached in late April after a laptop was stolen from the car of a Washington Redskins trainer.
The records are extensive, dating back a full 13 years. They’re reported to include current and former players’ protected health information (PHI), as well as that of the attendees of the annual scouting Combine.
In an official statement from the NFL to the players’ union about the theft, NFLPA Executive Director DeMaurice Smith said:
The NFLPA [NFL Players Association] has consulted with the U.S. Department of Health and Human Services regarding this matter. The NFLPA also continues to be briefed by the NFL on how they intend to deal with both the breach by a club employee, the violation of NFL and NFLPA rules regarding the storage of personal data, and what the NFL intends to do with respect to notifying those who may be affected. We will keep you apprised of what we hear from the team and League.
The severity of the breach is such that the NFL has contacted the Department of Health and Human Services (HHS), the arm of the federal government that deals with HIPAA enforcement and personal data privacy and security. It’s unlikely that the NFL will be persecuted as a HIPAA Covered Entity in this breach, sparing potential fines and litigation. HHS has made it clear that high-profile patients’ medical records must be afforded the same legal protection as anyone else’s. Athletes and celebrities alike face heightened risks to their privacy and are often targeted by attacks to their personal data.
Physical theft continues to plague the health care industry. Paper and physical records are easy targets, but it’s becoming apparent that electronic health records (EHR)–the long-heralded solution to this industry-wide problem–falls short of any kind of guaranteed security. Though the stolen laptop containing the players’ health data was password protected, it wasn’t encrypted.
Even though there have been industry-wide pushes for EHR adoption and migration away from paper records, their integrity of those records can be tenuous without the accompanying encryption and privacy measures needed to ensure they’re being kept secure.
In a statement given to Deadspin, an NFL spokesperson said that: “We are aware of no evidence that the thief obtained access to any information on the computer that was stolen nor aware that any information was made public.” The spokesperson also confirmed that the NFL’s electronic medical record (EMR) system that encompasses player data for the entire league was unaffected by the breach.
Over 112 million Americans had their health data breached in 2015 alone. In this case, HHS has the opportunity to make a decisive statement on EHR adoption and patients’ rights to privacy in an effort to curb the frightening trend that these massive data breaches are starting to take.