Deadspin reported that thousands of NFL players’ paper and electronic medical records dating back to 2004 where stolen from a trainer’s car when the car was broken in to and a laptop taken. The laptop was unencrypted.
The Redskins admitted that a password protected, unencrypted laptop was stolen from a trainer’s locked car in Indianapolis on April 15th and that there were no social security numbers, protected health information under HIPAA or financial information stolen.
What WAS stolen is less clear.
I guess the fact that the car was locked is supposed to be a compensating control for the laptop not being encrypted. The NFL is now saying they will begin encrypting laptops.
The NFL players’ union sent an email to each team’s union rep that said, in part, that the unencrypted laptop contained medical exams for NFL Combine attendees since 2004 as well as certain Redskins’ player medical records. The union said that it is a violation of NFL and union rules regarding the storage of personal data and they have consulted with the US Department of Health and Human Services and the current thinking is that it is a HIPAA violation based on recent settlements paid HHS. Apparently, the Union and the NFL disagree as to whether this is a HIPAA violation.
The Redskins’ thinking might be that they are not a covered entity or business associate under HIPAA rules, hence the HIPAA requirements might not apply to them. It is very likely that it is a violation of state privacy laws and since we could be talking about every state in the union, the NFL should consider whether it is better to deal with one entity – HIPAA – rather than 50 entities – each state’s attorney general.
Depending on whether the trainer was targeted for the theft and the thief knew what was on there or it was a junkie looking for his next fix, this could be a big issue or a non issue.
If the medical records of everyone who tried out for a pro team since 2004 (at the Combine) was on there, that could affect thousands of people.
And, if the laptop was targeted, I suspect that data might be worth a significant amount of money to some people who want to know about a player’s medical condition for a variety of reasons, probably none of them legal.
However, the bigger question is WHY that data was required to be on this trainer’s laptop at all. Maybe he needs this year’s data or the last two years data or maybe he needs data for active Redskins players, but why everyone who tried out – many of whom never signed a contract – since 2004.
This goes back to my recent blog post that for many organizations, they never met a piece of data that they did not want to hug.
This is an example of the flaw in that thinking. In this case, they may have to notify thousands of people and deal with that, rather than the less than a hundred people on the current Redskins roster.
If the historical data back to 2004 is really needed, maybe it should be made available ONLY when the trainer is in the Redskins facility – on a network server with access controls, rather than on a random laptop.
Until organizations understand that there is a problem with their model of distributing data, we are likely to continue to have big data breaches.
Information for this post came from the Washington Post.