I'm glad your organization hasn't had a PHI breach. I'll see your anecdata and raise you mine:

The two biggest hospital providers in my geography have both had breaches in the last 5 years, both involving exfiltration of PHI (and one involving ransomware). (My family's data was in both, too!)

https://www.hipaajournal.com/premier-health-partners-2023-da...

https://www.hipaajournal.com/kettering-health-ransomware-att...

I have a background in IT security and systems administration (including working as a contractor for healthcare providers). Since medical records have become "electronic" I've assumed medical data is de facto public.

If there was a diagnosis or treatment I felt others knowing about would compromise me I would avoid bringing it up to a medical professional or seeking treatment. I'm certain there are people who avoid mental health services, for example, for exactly that reason.