Majority of NFL Players' Medical Exam Results Exposed by Laptop Theft


The NFL recently announced that the majority of its players' medical exam results may have been exposed when a password-protected but unencrypted laptop was stolen from a Washington Redskins trainer's car in late April, Deadspin reports.

The laptop held copies of the medical exam results for all NFL Combine attendees for the past 13 years, along with some Washington Redskins players' records. A zip drive and some hard copy records of medical examinations were also stolen.

Still, the Washington Redskins said in a statement, "No Social Security numbers, Protected Health Information (PHI) under HIPAA, or financial information were stolen or are at risk of exposure."

"It is our understanding that our Electronic Monitoring System prevented the downloading of any player medical records held by the team from the new EMR system," NFL Players Association (NFLPA) executive director DeMaurice Smith wrote in an email to player representatives.

"All clubs have been directed to re-confirm that they have reviewed their internal data protection and privacy policies and that medical information is stored and transmitted on password-protected and encrypted devices; and that every person with access to medical information has reviewed and received training on the policies regarding the privacy and security of that information," the NFL said in a statement.

Michael Magrath, VASCO Data Security's director of healthcare business, told eSecurity Planet by email that this should serve as a clear example that healthcare breaches are not isolated to healthcare organizations.

"Assuming the laptop was Windows based, security can be enhanced by replacing the static Windows password with two-factor authentication in the form of a one-time password," Magrath suggested. "Without the authenticator to generate the one-time password, gaining entry to the laptop will be extremely difficult."

"By combining encryption and strong authentication to gain entry into the laptop the players and prospects protected health information would not be at risk, all because organizations and members wish to avoid few moments of inconvenience," Magrath added.

And WinMagic vice president of technology Garry McCracken noted by email that without encryption, laptop passwords alone provide very little protection for data. "Today, encryption is a relatively inexpensive and unobtrusive control that should be applied to all user data," he said.

"While 'No Social Security numbers, protected health information under HIPAA or financial information were stolen or are at risk of exposure,' it is still difficult to determine after the fact that the user specific information is not sensitive," McCracken added. "It is best to just encrypt everything."

A recent eSecurity Planet article looked at 7 full disk encryption solutions to check out.