What happened to Yahoo and its CEO is what can happen to any organization, both large and small, when they fail to invest in their HIPAA initiative. Historically, the healthcare industry has been a notorious laggard in implementing privacy and security. Even now, almost a decade after the HITECH Act was passed, the majority of covered entities and business associates are underinvesting in what amounts to information technology privacy and security 101.
The HIPAA Breach, Privacy and Security Rules ("Rules") do not represent the endgame with respect to fending off the bad guys. The Rules merely represent foundational controls that, from a security perspective, every organization large and small should have in place. Instead, the healthcare industry persists in treating HIPAA as some sort of necessary evil that Big Brother has forced down their throats. It's easy to see why budgets are so small. It will always remain easy to justify placing privacy and security at the bottom of the list for the same reason that Marissa Mayer of Yahoo did. Privacy and security are not sexy. You may have the best security in the world in place BUT it likely won't move your stock price up one iota.
That said, the flip side of the coin is NOT have having foundational security in place (and hopefully more than just that) may cause your reputation to be damaged and your stock price to plummet in a New York minute. Marissa Mayer knew better. She simply chose to roll the dice hoping that it would never happen to Yahoo. That's the same place most healthcare executives are now in. They are much better informed than they were say five years ago. They are simply hoping that it won't happen to them. That's a risky bet given how vulnerable the healthcare industry is to unsophisticated attacks let alone something like ransomware.
The bad guys know that healthcare is soft and they are coming for you. You can take that to the bank!