Anecdotally, those of us who interact with the healthcare industry on a daily basis from a privacy and security perspective have known for a long time that the industry was woefully behind other industries (e.g. online banking). Therefore, it doesn't come as much of a surprise to learn from experts that the healthcare industry is the most easily hacked (e.g. according to this expert the retail industry is in better shape).
Privacy and security are simply NOT top priorities for most providers. Granted the industry has its "hair on fire" at the moment with a 150 years of changed rolled into 10, but that's not the real issue. The real issue is that the industry, en masse, fails to understand that what is required is a culture of compliance (i.e. compliance built into the day-to-day operations of existing and future business models). Until top executives realize the import of culture nothing of significance will change. The industry will simply roll from breach-to-breach, blind and oblivious, continously whining about being over regulated.