"A 4-year HIPAA data breach has been reported by The University of California Irvine Medical Center after the healthcare provider discovered an employee had accessed nearly 5,000 patient records without authorization .... A person “who was not a patient” tipped off the hospital. This suggests that access logs were not being checked at all."
Addendum: and then there's this:
"hackers broke into UCLA Health System's computer network and may have accessed sensitive information on as many as 4.5 million patients, hospital officials said .... The revelation that UCLA hadn't taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates."