Likely that tens of millions of records were stolen.
Or sold ?.
Right you all are that Healthcare organizations have not taken information security very seriously up until now.
They have relied on using their infosec policy binderware (check marks) to pass security audits.
Its only recently dawning on them that being compliant is not the same as being secure.
BTW: HIPAA doesn’t protect or assure the privacy of patient health information.
All of your personal health data is sold and shared between Thousands of healthcare related entities without your knowledge or consent.
See: the HC data map as follows -
Healthcare Datamining connections:
http://thedatamap.org/
http://patientprivacyrights.org/what-you-can-do-faqs/