> Labs are routinely sent to third-party companies

Labs are real businesses that do real things, and would have actual impact for a breach. Meanwhile any idiot can vibe-code a thin shim between a microphone and ChatGPT in a weekend, promise they're HIPAA-compliant, and start selling. Medical professionals have no obligation to do any diligence, and there's no reason for them to not just buy whoever-is-cheapest. They're not even close to the same thing.