Someone on my Mastodon feed put this best: People who aren't tech saavy STILL deserve privacy, security and safety.
Hospitals are full of people who understand medicine, not tech. Because that's what they are. Administrators don't even know what to ask to hire a good tech person, and when a tech person gets in there any change they make has a danger of disrupting livesaving systems so they can't do anything anyway. It sucks, but HIPAA still says those records are private and you're not supposed to be looking at them without having a good reason to. The hospitals are liable for not protecting them properly, but Meta is still in the wrong and still breaking the law by scarping for them.
Ultimately, this is everyone's fault but the patients and the patients are the people who are wronged by it.