This post has been updated with the Redskins’ statement.
The Redskins on Wednesday responded to a Deadspin report that thousands of NFL players’ paper and electronic medical records dating from 2004 were allegedly stolen from a Redskins trainer’s car in April. After initially declining to comment on the report, the Redskins issued a statement late Wednesday afternoon that begins:
“The Washington Redskins can confirm that a theft occurred mid-morning on April 15 in downtown Indianapolis, where a thief broke through the window of an athletic trainer’s locked car. No social security numbers, Protected Health Information (PHI) under HIPAA, or financial information were stolen or are at risk of exposure.
The laptop was password-protected but unencrypted, but we have no reason to believe the laptop password was compromised. The NFL’s electronic medical records system was not impacted.
While the statement says that certain information is not at risk, the final paragraph mentions the need “to locate and notify players who may have been impacted.”
The team immediately notified local law enforcement of the theft and has cooperated with its investigation. The team is working with the NFL and NFLPA to locate and notify players who may have been impacted. The team is also taking steps to prevent future incidents of this nature, including by encrypting all laptops issued to athletic trainers and other team personnel and through enhanced security training.”
Deadspin obtained an email that was allegedly sent on May 27 by NFL Players Association Executive Director DeMaurice Smith to each team’s player representatives. It begins:
It has come to our attention that the backpack belonging to a Washington Redskins’ athletic trainer, was stolen from a car following a break-in. We have been advised that the backpack contained a password protected, but unencrypted, laptop that had copies of the medical exam results for NFL Combine attendees from 2004 until the present, as well as certain Redskins’ player records. We have also been advised that the backpack contained a zip drive and certain hard copy records of NFL Combine medical examinations as well as portions of current Redskins’ player medical records.
The email goes on to say that the NFLPA has consulted with the U.S. Department of Health and Human Services regarding the matter, which involves “the violation of NFL and NFLPA rules regarding the storage of personal data.” The incident was thought to also involve a violation of the Health Insurance Portability and Accountability Act (HIPAA). Based on recent settlements paid to HHS’s Office for Civil Rights in similar cases, storing medical records on unencrypted laptops does not comply with HIPAA’s Privacy and Security Rules.
Deadspin reports that the NFL is handling the investigation of the incident.