If patient records are actually being found on the Internet, then surely GDPR and HIPPA investigations would be forthcoming? Who is going to verify this claim?
Companies should be checking their own periodically with scans and in other ways. If you are found to be leaking that PHI, then you will pay.
@JerryHI Jerry, the operative word being "should" but they do not - so is penalties the answer? Or should it be going to the root of the problem within the C Series with better education or do human being really want learn the hard way through attrition or public embarrassment?
Education and training are needed. If it takes negative publicity and fines, then so be it. At some point, leadership has to take things seriously.