It’s also possible it was stolen. Though a FOI request against my hospital I was able to find the URLs where they store documents (they printed them and sent them to me, with the URLs at the top), which appear (though I obviously didn’t try) to be vulnerable to enumeration attacks. The files I was supplied with have sequential identifiers.
Assuming they live in the US, that is against HIPAA and in my experience it is taken very seriously since what you described is crime punished by a fine of up to $250,000 and up to 10 years in jail.
His healthcare information was not transmitted through technical means. His insurer and/or doctor sold the information.