Illegal Access To Health Records
Quick legal framework — what “illegal access” can mean
“Illegal access” to health records is an umbrella term that can cover several different legal theories, depending on who did the accessing, how, and where:
HIPAA (Health Insurance Portability and Accountability Act) — federal privacy/security rules. HIPAA itself is mostly enforced administratively by HHS’s Office for Civil Rights (OCR) and by state attorneys general; OCR can impose corrective action and civil monetary penalties for failures to safeguard protected health information (PHI). HIPAA does not generally create a private federal right of action for patients to sue (courts have largely held this), though state law may provide civil claims.
Computer Fraud and Abuse Act (CFAA) — a federal criminal statute used to prosecute unauthorized or improper access to computers. How “unauthorized access” is interpreted has been the subject of major litigation; important for employees or insiders who use legitimate credentials but access data in an improper way.
State criminal statutes — many states have laws making unlawful access to computer systems or medical records a crime (sometimes with health-record-specific provisions).
Common‑law torts / state privacy law — claims like intrusion upon seclusion, breach of confidence, negligence, or violations of state data‑breach/medical‑privacy statutes can be used civilly against those who access or disclose medical records improperly.
Fourth Amendment / government searches — when government agents access medical records, constitutional limits on searches and seizures can apply.
With that framework, here are detailed case/enforcement discussions.
1) Whalen v. Roe, 429 U.S. 589 (1977) — Supreme Court, privacy context for medical records
Facts / context: New York had a statute requiring the state to collect and keep prescription records for certain controlled substances. Some citizens challenged the law as violating constitutional privacy rights and as an unlawful delegation of power.
Issue: Does a state law requiring collection and retention of prescription information violate a constitutional right of privacy (or other constitutional protections)?
Holding / reasoning: The Supreme Court recognized that there is a privacy interest in avoiding disclosure of personal matters (including some medical matters), but it rejected a broad constitutional right that would bar the record‑keeping statute at issue. The Court balanced the privacy interests against the government’s regulatory interests (preventing drug abuse and monitoring controlled substance prescriptions) and concluded the statute did not violate the Constitution as applied. The Court also hinted that different collection or disclosure rules might raise closer constitutional problems, but it declined to create a sweeping constitutional protection for all medical records against governmental collection.
Why it matters for “illegal access”: Whalen is a foundational Supreme Court discussion recognizing that medical information implicates privacy interests — but it also signals that government collection or regulation of medical information is not per se unconstitutional. This case is often cited when courts balance privacy interests against government or regulatory needs for medical data. It is especially relevant when government actors or public health authorities access medical data.
2) United States v. Nosal (Nosal I & Nosal II), 9th Cir. — insider misuse and the CFAA
There are two key Ninth Circuit opinions interpreting the CFAA and access restrictions:
Nosal I (2012) — United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)
Facts: Former employees of an executive search firm conspired to have current employees use their authorized credentials to download confidential data from the employer’s computers for the ex‑employees’ benefit. The prosecution charged violations of the CFAA on the theory that the defendants caused “unauthorized access” by having insiders use authorized credentials to get the data.
Holding / reasoning (Nosal I): The Ninth Circuit held that simply using someone’s authorized credentials (or causing an insider to use them) to obtain information the insider was permitted to access does not fall within the CFAA’s “without authorization” or “exceeds authorized access” language. The court was concerned that interpreting the CFAA to criminalize all policy‑violations or employee misuse would be unconstitutionally vague and would criminalize enormous swaths of commonplace conduct (e.g., checking a personal account on a work computer). So the court required a narrower reading: the CFAA targets those who access a computer system without any authorization, or who access areas of a computer that they are not permitted to access (e.g., bypassing an access control).
Nosal II (2016) — United States v. Nosal (en banc), 844 F.3d 1024 (9th Cir. 2016)
Facts/issue: After Nosal I, the government continued the prosecution and the Ninth Circuit reheard the case en banc on related questions about the CFAA.
Holding / reasoning (Nosal II): The en banc court reaffirmed a narrow reading of “exceeds authorized access.” It reaffirmed that the CFAA does not reach employees who have legitimate access to a database but who use that access for an improper purpose (e.g., to steal employer data) — unless they actually bypassed a technical limitation. The en banc court did allow certain interpretations that could sustain convictions depending on the precise facts (e.g., if credentials were shared to circumvent access controls), but overall Nosal put a strong limit on prosecuting ordinary employee policy violations under the CFAA.
Why it matters: Nosal is central for cases where health‑care employees (nurses, billing clerks, etc.) view or download patient records for improper purposes. Nosal suggests that, absent technical circumvention of access controls or clear evidence of lack of any authorization, CFAA criminal charges may not be appropriate for ordinary “snooping” by insiders — though other criminal or civil laws (state statutes, HIPAA administrative enforcement, employer discipline) can apply. Nosal shaped prosecutorial strategy and employer compliance practices.
3) Van Buren v. United States, 141 S. Ct. 1648 (2021) — Supreme Court narrowing of CFAA “exceeds authorized access”
Facts: A Georgia police officer accepted money to run a license‑plate search that he was not permitted to run for those purposes. He had lawfully held credentials for the law‑enforcement database; the government charged him under the “exceeds authorized access” portion of the CFAA.
Issue: Does the CFAA criminalize an individual who has lawful access to a computer system but uses that access for an improper purpose (i.e., “exceeds authorized access”)?
Holding / reasoning: The Supreme Court held that the CFAA’s “exceeds authorized access” clause does not apply to a person who has been given authorized access to a computer system but who uses that access for an impermissible purpose. The Court adopted a narrow statutory construction: “exceeds authorized access” covers situations where a user accesses parts of a computer (files, folders, databases) that are off‑limits, not situations where the user has legitimate access but uses it for an illicit purpose. The Court expressed concern that a broader reading of CFAA would criminalize commonplace conduct contrary to the statute’s purpose.
Why it matters for health records: Van Buren is a controlling Supreme Court ruling that narrows the CFAA after Nosal. For health‑record “snooping” cases where an employee with credentials just looks up patient records for improper reasons, Van Buren makes a CFAA charge far less likely to succeed unless the access involved bypassing technical access controls or accessing data the user was never permitted to see. Prosecutors and civil plaintiffs often must rely on other statutes or state laws, or on evidence that the user’s credentials were used to bypass access restrictions.
4) United States v. Valle, 807 F.3d 508 (2d Cir. 2015) — law‑enforcement database misuse and the CFAA
Facts: A New York City police officer used his authorized access to a law‑enforcement database to look for identifying information about potential victims for criminal sexual fantasies and communications. He argued his searches were protected or that CFAA didn’t apply to misuse of legitimately accessed data.
Issue: Can misuse of database access by a government employee (searching for personal reasons) support a CFAA conviction? What are the limits on criminal liability?
Holding / reasoning: The Second Circuit addressed whether the defendant’s actions fell within the CFAA’s reach. The court recognized limits but ultimately sustained criminal liability given the particular combination of unauthorized access to certain databases and the nature of the misuse. Valle’s case is fact‑specific and the decision reflects the balancing courts have done about whether misuse by insiders constitutes criminal conduct under CFAA or other statutes.
Why it matters: Valle illustrates that courts will look closely at the concrete facts: whether the access involved technical circumvention, whether the database had explicit access controls limiting certain users, and whether the user’s conduct was criminal for other reasons. Valle is often discussed alongside Nosal and Van Buren as part of the evolving CFAA jurisprudence relevant to unauthorized access to sensitive information (like medical or law‑enforcement records).
5) OCR enforcement — Anthem (2018) HIPAA settlement — major administrative enforcement for breach of PHI
Context / facts: Large health insurers and health‑care entities that fail to protect PHI may be investigated by HHS OCR after a breach or complaint. One of the largest and most publicly notable OCR enforcement actions involved Anthem, Inc., following a massive data breach exposing tens of millions of individuals’ personal information.
Enforcement / outcome: In 2018, OCR announced a resolution agreement and civil monetary penalty with the covered entity the size of which was publicly reported as substantial (this OCR action was paired with state attorney general settlements). The settlement required a large payment and a corrective action plan. OCR’s enforcement emphasized failures in risk analysis, risk management, and safeguards (technical and administrative) that allowed unauthorized access and exfiltration of PHI.
Why it matters: OCR enforcement actions show that even where criminal prosecution under CFAA isn’t available or appropriate, administrative enforcement under HIPAA can produce major penalties and require long‑term corrective action. These cases focus on failures of governance, encryption/loss prevention, access controls, auditing, and incident response — and they signal to covered entities that OCR will hold organizations accountable for preventable exposures and for poor access controls that enable unauthorized access.
(Note: OCR settlements are administrative resolutions, not judicial opinions; they nonetheless create practical precedents and often come with detailed Corrective Action Plans that explain what went wrong.)
6) State / civil privacy torts — intrusion upon seclusion and cases where employees snoop (doctrinal examples)
There are many state court decisions where a patient sues a hospital, employer, or individual for improper viewing or disclosure of medical records — these are fact‑specific and depend on state law. A typical example pattern (doctrinal outline rather than a single famous name) looks like this:
Facts (typical): An employee (e.g., a nurse) views a celebrity or acquaintance’s electronic medical record out of curiosity, then discloses or threatens to disclose the contents.
Legal theories used by plaintiffs:
Intrusion upon seclusion — invading private affairs by wrongful intrusion (snooping into health records can qualify).
Breach of confidence / breach of privacy statute — state statutes may directly prohibit unauthorized disclosure of medical records.
Negligence — asserting the hospital negligently allowed access that injured the patient.
Conversion / unjust enrichment or related claims — less common.
Typical outcomes / reasoning: Courts often find that unauthorized access and disclosure of deeply personal medical information can support an intrusion claim and/or statutory violation. Damages vary; where statutory privacy protections exist (e.g., state medical privacy acts), plaintiffs may obtain statutory damages or injunctive relief. Employers may also terminate or discipline employees, and OCR / state AGs may initiate enforcement actions.
Why it matters: Civil claims and employment discipline are the most common real‑world consequences for individual employees who illegally access health records. Even when CFAA criminal charges won’t stick (per Van Buren / Nosal), civil and administrative remedies can still produce relief and deterrence.
Putting the cases together — practical themes & takeaways
Insider “snooping” is often not a straightforward CFAA crime. Van Buren and Nosal together make clear: if an employee has authorized access to a system, merely misusing that access can be hard to prosecute under the federal CFAA unless technical access controls are bypassed or the user accesses areas they genuinely aren’t authorized to enter.
HIPAA enforcement fills a different role. OCR enforcement actions (and state AG actions) focus on whether covered entities implemented reasonable safeguards, access controls, auditing, workforce training, and breach response. Even if a single employee’s misuse is not a federal criminal case, the covered entity can be penalized for weak controls that allowed the misuse.
State criminal statutes and tort law remain important. States often have statutes criminalizing unlawful access to electronic health records specifically, and patients can bring civil suits (intrusion upon seclusion, breach of confidence, negligence). These are commonly used in practice against employees who view or disclose records improperly.
Government actors and databases get special attention. Cases like Whalen (privacy balancing) and Valle (government database misuse) show that when government agents or public health systems access records, constitutional and statutory limits apply and courts will balance privacy against legitimate government purposes.
Access controls, auditing, and policies matter in practice. Courts and OCR repeatedly emphasize concrete safeguards: role‑based access controls, logs and audit trails, encryption, training, and a culture of compliance. When those fail, liability follows.
Practical examples of how the law is applied (short scenarios)
An ER nurse uses her badge to look up the medical file of a celebrity she knows. Result: likely employer discipline or termination; likely state criminal or civil liability under state laws; OCR may not prosecute the employee criminally under CFAA, but the employer could face OCR scrutiny if controls/audit trails were inadequate.
A contractor exports a patient database by copying files off the system, bypassing technical controls. Result: stronger basis for CFAA prosecution (unauthorized access or exceeding access), civil liability, and major OCR enforcement against the covered entity.
A public health agency compiles prescription records for monitoring. Result: Whalen‑style balancing — constitutional privacy challenges will be evaluated against public‑health needs.
If you want more (next steps I can do right now)
I can produce a table listing additional cases and statutes (with short annotations and citations).
I can write a model complaint alleging intrusion upon seclusion and HIPAA violation (state‑law variant) from a plaintiff’s perspective — helpful if you’re studying pleadings.
I can summarize state statutes in a chosen jurisdiction (e.g., California, New York, Texas) that criminalize unauthorized access to medical records — tell me which state and I’ll prepare a tailored summary from my knowledge (no web browsing).
RELATED Blog
0 comments