The theft of a backpack holding a laptop computer and paper documents containing medical information on perhaps thousands of National Football League players serves as a lesson in the importance of properly safeguarding health information, even for entities falling outside of HIPAA's reach.
See Also: The Inconvenient Truth About API Security
The theft, which the NFL now acknowledges, occurred in April when a car containing the backpack of a Washington Redskins athletic trainer was broken into in downtown Indianapolis, the news site Deadspin reports.
"The backpack contained a password- protected, but unencrypted, laptop that had copies of the medical exam results for NFL Combine attendees from 2004 until the present, as well as certain Redskins' player records," Deadspin reports, quoting an email reportedly sent on May 27 by NFL Players Association Executive Director DeMaurice Smith to each team's player representative. The players association is the union for pro football players.
The NFL Scouting Combine is a week-long event held each February in Indianapolis where college football players perform tests for NFL coaches and scouts. Many current players participated in the Combine.
The player's association email obtained by Deadspin also notes: "We have also been advised that the backpack contained a zip drive and certain hard copy records of NFL Combine medical examinations as well as portions of current Redskins' player medical records. It is our understanding that our electronic monitoring system prevented the downloading of any player medical records held by the team from the new EMR system.
The players association declined to comment to Information Security Media Group on the incident.
NFL Statement
But the NFL tells ISMG in a statement: "Once we became aware of the theft, we promptly worked with the club and the NFLPA to identify the scope of the issue. The club is taking all appropriate steps to notify any person whose information is potentially at risk. As the NFLPA memo confirms, the theft of data involves information maintained by one club and no information maintained by any club on the NFL electronic medical records system was compromised, and the theft is entirely unrelated to that system."
All NFL clubs have been directed to re-confirm that they have reviewed their internal data protection and privacy policies; that medical information is stored and transmitted on password-protected and encrypted devices; and that every person with access to medical information has reviewed and received training on the policies regarding the privacy and security of that information, according to the NFL statement.
In addition, the NFL notes, "We are aware of no evidence that the thief obtained access to any information on the computer that was stolen nor aware that any information was made public."
The Redskins organization says that "no Social Security numbers, protected health information under HIPAA, or financial information was stolen or are at risk of exposure," according to Deadspin, and the players association letter says it had "consulted" with the U.S. Department of Health and Human Services about the incident.
The team says it's also "taking steps to prevent future incidents of this nature, including encrypting all laptops issued to athletic trainers and other team personnel and through enhanced security training," Deadspin reports.
The Redskins did not immediately respond to a request for comment.
Regulatory Gap?
Even though health information was apparently involved, the NFL incident appears to be outside of HIPAA's regulatory range, security experts say.
"While the team's medical personnel likely qualify as healthcare providers, they and their records may not be subject to HIPAA if they do not electronically submit healthcare claims to health plans or otherwise electronically interact with insurers," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "If HIPAA does not apply, certain state laws may nevertheless have required encryption of the data or breach notification of the theft."
Privacy attorney Kirk Nahra of the law firm Wiley Rein notes: "It is unlikely HIPAA is relevant. A football team isn't a covered healthcare provider, and I doubt this involved the team 'health plan,' certainly for players that are not on the team. So this is an issue of the HIPAA gaps, where HIPAA does not apply to all medical information but only to certain information in certain contexts when held by certain people," he adds.
David Holtzman, vice president of compliance at security consultancy CynergisTek, adds: "It is also unlikely that the league or the team is a business associate [under HIPAA] because they did not obtain, maintain or create the health information while performing a function or service to a HIPAA covered entity."
In a statement to ISMG, a spokeswoman for the HHS Office for Civil Rights, which enforces HIPAA, says: "In a circumstance where an NFL trainer meets the definition of a covered entity (i.e., bills payers/insurers for care using HIPAA standard transaction), the trainer would be required to comply with HIPAA. We do not know enough about the circumstances here to know whether the trainer was or was not a HIPAA covered entity."
Most states have laws that require protecting sensitive personal, financial or health information from unauthorized disclosure, Holtzman says. "Most state laws exempt reporting when the device on which the information is stored is encrypted. And many allow that notification is required only if the individual is put at risk of financial harm or identity theft."
Although the NFL likely doesn't face any HIPAA-enforcement actions, it could still face lawsuits as a result of the incident.
"The league and the NFL players union have stated that the keeping of the medical information about players and participants in the league combines without encryption was a violation of league rules," Holtzman says. "And, earlier this year Jason Pierre-Paul, a player for the New York Giants, filed a lawsuit against ESPN and one of their reporters for publishing online copies of medical records concerning treatment at a Miami hospital. Clearly, there is more to watch for concerning where and how any of the data in these health records show up."
Assessing Risk
Keith Fricke, principal consultant at consultancy tw-Security, says that having a laptop password-protected, but not encrypted, "gives a false sense of security" because passwords can be cracked or circumvented.
"It's akin to locking the windows and doors to a house, but thieves being able to peek through the window's transparent glass," he says. Encrypting the device helps "makes those windows opaque," he says.
Fricke urges all organizations - not just those covered by HIPAA - to encrypt mobile devices. "Err on the side of caution. Just because there isn't sensitive information on the device today, doesn't mean it won't be added by an employee later," he says.
"Encrypting laptops and other portable devices like USB drives or smartphones is a 'no-brainer,'" Holtzman says. "In each of the six years since the implementation of the HIPAA Breach Notification Rule, upwards of 60 percent of all reportable large breaches were the result of loss or theft of an unencrypted portable device or media on which PHI had been stored."
Old Data?
The NFL security incident, which involved data dating back as far as 2004, also serves as a reminder for organizations to dust off their data retention policies and procedures.
"Why would 10-year-old medical information about players, most of whom are not on your team, ever still be retained on a laptop like this?" Nahra asks. "It may not be a legal issue, but it certainly raises this data management question for any kind of business entity."
Fricke suggests that organizations periodically assess data contained on mobile devices. "If you don't need to have the data there, then archive it and pull it up when needed, in case there's ever an adverse event, like the device getting lost or stolen," he says.