There are no laws requiring disclosure of guilty parties, only disclosure of the incident. In many cases, the organization’s CISO will act as the whipping boy/girl for the incident, but I’ve not seen them come forward either. Barring a FOIA request, I don’t think they’re required to disclose payment of fines under HIPAA either.
Last time I checked, HIPAA fines were essentially not enforced. No wonder breaches occur all the time.