[dragonwriter]

> Also, why aren't they being charged with what is almost certainly a HIPAA violation?

Foremost among the many reasons, because investigation of HIPAA Privacy and Security violations is almost entirely (if not entirely) complaint-based rather than proactive, and probably no one filed a complaint to the HHS Office of Civil Rights.

Which I think should be the immediate and first act on discovering something like this with PHI, if for no other reason that doing so makes clearly applicable the whistleblower protections of 45 CFR 160.316.