Trent J. Russell was an organ transplant coordinator for the Washington Regional Transplant Community (“WRTC”). WRTC is a federally designated organization that identifies near-death patients whose organs can be transplanted. Mr. Russell had access to potential organ donor information across 48 hospitals as part of his job.
On July 31, 2024, Mr. Russell was convicted of unlawfully accessing a patient’s medical records in 2019. Mr. Russell was not authorized to access these particular records, as the records were not those of a potential organ donor. Rather, the records were of a patient receiving cancer treatments at George Washington University Hospital in Washington, DC. This privacy violation involved the records of someone whose name is frequently associated with privacy rights: the late U.S. Supreme Court Justice Ruth Bader Ginsburg.
How Was Mr. Russell’s Activity Discovered?
In his role as a contractor for WRTC, Mr. Russell frequently visited near-death patients on-site to coordinate organ transplant activities. In January 2019, Justice Ginsburg’s hospital chart, which contained detailed cancer treatment information, appeared on the online messaging board 4chan, and then on Twitter and YouTube.
The postings attracted the FBI’s attention and triggered a joint FBI/WRTC investigation into an apparent data breach. Mr. Russell was identified as a suspect after WRTC traced a search for Justice Ginsbusrg’s patient chart back to one of Mr. Russell’s home computers. Upon identifying Mr. Russell as a suspect, WRTC revoked Mr. Russell’s access to patient records.
Prosecutors subsequently charged Mr. Russell with wrongfully obtaining and disclosing Justice Ginsburg’s individually identifiable health information (IIHI). The federal law under which Mr. Russell was charged is a HIPAA criminal law, violation of which is punishable by fines, prison time, or both.
Criminal PHI Access: A Swift Conviction
A federal court jury needed only half a day of deliberations to render a criminal verdict of guilty— guilty of unlawfully accessing Justice Ginsburg’s PHI and of the separate offense of tampering with and destroying records during a federal investigation.
The guilty verdict on the destruction of records charge does not reveal the workings of a criminal mastermind; prosecutors demonstrated that when Mr. Russell learned on February 10, 2019, that his access to medical records had been revoked, he reformatted his home computer – to destroy evidence and obstruct the investigation.
On the improper access charge, the jury simply did not find Mr. Russell’s testimony to be credible. “I respect her public service,” Mr. Russell said of Ginsburg during his trial. When Mr. Russell’s lawyer asked Mr. Russell how his home computer wound up entering search terms producing the Justice’s hospital chart, Mr. Russell initially said, “I have no idea.” Later, he added, “I feel like everyone’s made typos.” (Mr. Russell’s singular wit burbled up at another point during the initial investigation, when he stated it was possible that his “cats had run across” his keyboard).
The Consequences of the Criminal PHI Access
As noted above, wrongfully obtaining or accessing an individual’s individually identifiable health information (IIHI) is a crime. Mr. Russell’s HIPAA violation subjects him to prison time and potential fines in the tens of thousands of dollars. The penalties for this PHI access violation will be determined at sentencing. Mr. Russell’s sentencing hearing is expected to take place in November 2024.
Could This HIPAA Criminal Law Story Have Had a Different Outcome?
Compliancy Group’s healthcare compliance tracking solution, The Guard, contains templated policies and procedures, controls (self-audit measures), and training materials that healthcare organizations can use to manage their HIPAA compliance and to deter improper PHI disclosure.
A number of the materials Compliancy Group offers address the issues directly implicated by the Russell case. These materials include our templated policies and procedures on:
- Proper uses and disclosures of PHI
- Background screening
- Workforce security
- Information access management
- Security awareness and training
- The minimum necessary standard
- Security incident procedures
- Employee sanctions
- The least privilege principle (which dictates that those workforce members with appropriate authorization can access ePHI)
– just to name a few.