His blog post seem to make it clear that his intent was to gain access to data in a computer system he did not have permission to access. Why would "disclose PII" be relevant?
CFAA cases turn on the "why" as much as the "how", and "because I wanted to find and disclose security vulnerabilities for the good of the public" is a disfavored "why". Read the sentencing filings in the case you're talking about to see more about the implication of disclosure.
