For health care counsel who advise on privacy issues, including compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Fourth Circuit’s recent decision in United States v. Russell offers a reminder that the scope of protected patient information is broad and that unauthorized access can trigger not only contractual and regulatory consequences, but criminal exposure as well.

The case arose after a screenshot of Justice Ruth Bader Ginsburg’s information from George Washington University Hospital appeared online.[1] The screenshot displayed her name, the dates of multiple hospital visits and categories of services associated with those visits, including radiology, oncology and surgery. The ensuing investigation led authorities to Trent Russell, whose work for an organ-donation-related nonprofit gave him both on-site and remote access to patient medical records in the hospital’s systems. Search logs and forensic analysis linked the relevant access to Russell’s home computer.[2]

A jury ultimately convicted Russell of wrongfully obtaining individually identifiable health information in violation of 42 U.S.C. § 1320d-6(a)(2) and of destroying or altering records to impede an investigation under 18 U.S.C. § 1519.[3] On April 14, 2026, the Fourth Circuit affirmed the conviction and the district court’s sentencing of Russell to 24 months’ imprisonment.[4]

Scope of “Individually Identifiable Health Information”

A major issue on appeal was whether the information shown in the screenshot constituted “individually identifiable health information” for purposes of the criminal statute.

Russell argued that the statute covered only information revealing specific health conditions, such as detailed treatment information or details about a patient’s particular physician. In his view, a patient search screen that listed a patient’s name, visit dates and categories of services did not qualify because it did not disclose the precise nature of Justice Ginsburg’s medical condition or identify her treating physicians. The Fourth Circuit rejected that argument, describing Russell’s interpretation as a “crabbed view of the statute.”

The Court held that information such as a patient’s name, place of treatment, arrival and discharge dates and medical services provided “falls well within the heartland of the conduct the statute is aimed at because it ‘relates to the past . . . health or condition of an individual [and] the provision of health care to an individual.’”[5] Finding otherwise, the Court held, would “flout the spirit of the law.”

Takeaways for Health Care Counsel

United States v. Russell underscores that the legal significance of health information does not turn on whether it appears in a traditional medical record or a more administrative interface. By focusing on whether the information identifies an individual and “relates to” that person’s health or the provision of health care, the Fourth Circuit made clear that patient search screens, scheduling data and similar system-generated displays may themselves constitute legally protected information.

In practice, this reasoning aligns with how privacy risks often arise: improper access can occur at the search or lookup stage, before a user opens a full chart. Russell confirms that such access is not legally inconsequential merely because it stops short of reviewing diagnoses or detailed treatment information.

For attorneys advising covered entities and business associates, Russell offers several practical lessons:

1. First, access controls and workforce training should expressly address that patient lookup functions, scheduling data and search-result screens may themselves constitute legally protected information, even if the full chart is not opened.

2. Second, the decision highlights the evidentiary importance of audit logs, device identifiers and remote-access records; in Russell, those technical artifacts were central to establishing unauthorized access and attribution. Interested counsel should review the Russell opinion for further details on how the hospital’s investigation identified Russell as the most likely source of the online screenshot.

3. Third, counsel should remind clients that intentional misuse of access credentials — particularly when coupled with efforts to conceal activity — can trigger criminal exposure under HIPAA’s enforcement provisions, not merely civil penalties or corrective action plans.

Taken together, the opinion reinforces the need for compliance programs and incident-response strategies that account for how privacy laws are applied in practice, including in the criminal context.

[1] The screenshot was initially discovered by employees of George Washington University Hospital when it appeared on Twitter. Subsequent investigation revealed that before appearing on Twitter, the screenshot was posted on the anonymous message board 4Chan.

[2] During the Government’s initial investigation, Russell claimed he did not know how his credentials had been used to run searches for “Gins” and “Ginston” (which would have returned results for “Ginsberg”). He suggested that “potentially his cat had run across the keyboard and typed in those letters.”

[3] The jury acquitted Russell on the separate count alleging wrongful disclosure of individually identifiable health information.

[4] United States v. Russell, No. 24-4620, 2026 WL 999566 (4th Cir. Apr. 14, 2026).

[5] The Court cited 42 U.S.C. § 1320d(6).

April 30, 2026/by HealthLaw