People didn't put their private medical records on the open internet. They may have uploaded them to a service they thought was respecting privacy but was either selling their data without disclosure or was just straight up incompetent and uploaded private-user-data.zip to a public Dropbox share.