This sounded like a straight-forward HIPAA violation, but I checked. There's a carve out for LE.
You can see the bones of a stronger limit during drafting (as "required" by warrants), but then weakened to allow mere "administrative requests".
> Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official's request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg...
Additionally from the article the data seems limited to identification information and not medical information.
That doesn't really help. HIPAA covers anything personally identifiable while held by a covered entity. Their only cover is the LE exception.
Just think: If I "only" steal names and address from the psych ward, that's still a breach.