It is a lot easier to steal a laptop than it is to hack into a corporate database. The Internet erupts every time a hacker compromises data of millions of customers, but it remains silent when a laptop containing data of thousands of employees is stolen. However, that is not the case when an athletic trainer for the Washington Redskin’s had their unencrypted, but password protected laptop stolen in Indianapolis, IN during the NFL Combine.
The National Football League (NFL) and the Washington Redskins informed the general public, on June 1, that in Late April a Redskins trainer’s backpack was stolen from the trainer’s car. The stolen backpack contained a laptop storing up to 12 years of NFL players’ medical records, a zip drive, and certain hard copy records of NFL Combine medical examinations.
The NFLPA, the league, and the Redskins all released statements that conveyed that no player’s financial, medical, and personal records have been compromised. However, the Redskins’ statement made the mentioned that they have yet to “locate and notify players who have been impacted.”
It may be difficult to determine what specific information is at risk, but there is still the potential that the information is sensitive. With that being said, certain information players may not want to be known to others could have been compromised and potentially released.
Legal ramifications could arise from a hypothetical release as the incident can be seen as a breach of player’s privacy. The players trusted the league and team to protect their medical records and the league failed to take reasonable steps to protect that information.
Fault here would rest on the NFL because of the subject matter of most of the data, and the lack of stringent league wide standards and policing. The data here is mostly about the NFL Combine. The Combine is conducted by an outside party, but is considered a league event. It was league’s responsibility to protect the records of the athletes participating in each Combine, therefore the incident is a breach of the players’ privacy.
Ultimately, most liability would arise from the fact that the computer was not encrypted. The federal government has minimum standards for “covered entities,” which utilize the use of disclosure of protected health information (PHI). The League may not be a “covered entity,” for the Department of Health and Human Services, yet a suit could potentially be brought to a state court in a situation that information from the laptop was to surface.
PHI involves all individually identifiable health information including an individuals past, present, or future physical or mental condition, and information. Even though the league may not be a “covered entity,” subject to those regulations, they must implement appropriate standards to prevent the use or disclosure of that information to third parties. In these circumstances, the unencrypted laptop would not meet the minimum standards.
A similar situation occurred in 2015 when an employee of the Cancer Care Group (CCR), had their unencrypted laptop containing patient’s PHI stolen. In that case the Department of Health and Human Services as well as the Office of Civil Rights believed that CCR did not devise of proper standard to reduce the likelihood of protected health information being promised. CCR settled with a $750,000 fine and an order to take stringent corrective action in order to correct the deficiencies in their policies.
Both the Federal Government and the NFL/ NFLPA emphasize the need for encryption because it is truly the only to protect the data on a computer. To an outsider, the data is indecipherable, thus making it essentially a foreign language. Had the data on the laptop been encrypted there would be no potential harm to the league or the players.
Regardless if the thief knew what they were getting; the NFL can face fines like CCR did on a state level. This is just another issue that the NFL can add to their large plate.