>Institutions that handle sensitive data that is subject to access regulations generally have a compliance process that must be followed prior to accessing and using that data, and a compliance department staffed with experts who review and approve/deny access requests.

Facebook isn't running an electronic medical records business. It has no expectation that it's going to be receiving sensitive data, and specifically discourages it. What more are you expecting? That any company dealing with bits should have a moderation team poring over all records to make sure they don't contain "sensitive data"?

>But Facebook would rather move fast, break things, pay some fines, and reap the benefits of their illegal behavior.

Running an analytics service that allows apps to send arbitrary events is "move fast, break things" now?

Wether you are a medical records processing service doesn't depend on self-identity, it depends on if you process medical data.

Evidently Facebook does use medical data for targeted advertising. So they are a medical records business.

Is this a simple hosted analytics service, where outputs are only accessible by Flo, or does Facebook uses this data in any other meaningful way?

If this is used by targeting, I’m afraid we can’t call this just an “analytics service”.