I work for an EMR vendor. FYI, the HITECH Act obligates companies to disclose breaches only in situations where PHI (patient data) is accessed. Our infrastructure could be co-opted into a Russian Bitcoin mining farm, but as long as patient data isn't touched, we don't have to let anyone know.
What a lot of people don't realize is that many clinics are small businesses. Small businesses tend to make small business decisions. Doctors won't replace those workstations running Windows XP or Vista if they plan to retire in a few years--that's wasted money. We've noticed that not maintaining support contracts for critical infrastructure is a popular cost-saving measure as well.
Penny pinchers are a problem, as is entrusting responsibility to Billy Bob at Local Computer Guy's and Cable TV Repair's. Yes Billy, we can tell you haven't made a successful backup in six months, and the UPS at the customer site has been failing for twelve. No Billy, it's not ok to leave those ports exposed on the Internet. People rag on the cloud being someone else's computer, but cutting Billy out of the loop is a net positive.