I think there are even more basic table stakes that were missed here well prior to conducting any manner of formal compliance auditing - like unauthenticated users accessing this database!

Sure, but if it was a HIPPA compliance issue then the legal action path is easier and more lucrative.