My guess, based on what's publicly available, is that this incident is quite possibly just a set of stolen or misused creds for a fairly widely available Medicare card lookup database used by doctors. In which case, this is less of a "cyber security" issue and more an issue with fundamental system design/requirements. But we'll see.
One way to avoid this would be to limit the access of a doctor to patient records. Unless you give permission at a doctor/hospital to have them access your record, they won't be able to do a lookup. Retract the permission automatically/renew it once every X months. This would make stolen/misused creds a much smaller risk.
This is a problem that can be solved in a low tech way using a medical bracelet / necklace for patients who have chronic diseases that doctors might need to know about.
Somebody with sickle cell disease or otherwise transfusion dependent greatly benefits from electronic records, which help minimize antibody reactions (not just ABO and Rh, but Duffy, Kell, Kidd, MNS, etc)
So, this isn't access to patient records as such - it's merely access from a name to a Medicare number.
Additionally, how exactly are you going to get the patient to give permission beforehand? Patients will expect to walk into a medical clinic, hand over their card, and have it all just work.
