Fucksake. This isn't new territory. It professionals know how to mitigate this stuff. There should be row-level encryption on databases with health data. There should be accountability through each item on the OWASP top 10. 

This shit just looks like lazy under-investment in favour of feature delivery. 

Another health provider targeted by data breach | Stuff

https://www.stuff.co.nz/nz-news/360923210/another-health-provider-targeted-data-breach