It most certainly is information protected by HIPAA. It's just that there are no enforced consequences for companies breaking HIPAA (or pretty much any other law) while there are dire consequences for people accessing public data under the CFAA. I'll put it this way: if I wanted to murder someone in the US and get away with it, there are dozens of opportunities under the law as long as said murder is committed under the umbrella of a corporation. But god fucking forbid you access public data that was not secured properly by idiotic corporations and your life is ruined like this researcher's is about to be. Our judicial system is a joke; a society without justice is no different than the random savagery it purports to be above.