Deliberate attacks generally target insurance data. You can't make much off of knowing someone got a booboo, but insurance fraud is a gold mine.
That isn't to say that ambient malware isn't finding its way everywhere else. The reality is that modalities (CTs, MRIs, etc.), are rarely patched, many are running ancient versions of Windows. Re-imaging systems--sometimes near daily at some facilities--is the normal strategy for addressing malware. Lack of support from the manufacturer being principally to blame. Most facilities have a strong concern for security but there's often an absence of adequately qualified IT staff to address the matter elsewhere in the facility.
Sharks sometimes get into the shark cages, or bite through the protective mesh armor. It is a known risk and the person jumping in is accepting that risk when they enter.
The waters (the Internet) are infested, and the user chose to accept the risks associated with using AM as a shelter within that environment. Personal responsibility doesn't stop at the gate. It would be nice to leave your worries at the door, but first you need to decide if it's made of paper and whether you're willing to accept the risks inherent with that.
No they didn't expose themselves at all, a site they thought was safe to use to be able to have a little bit of freedom was hacked.
They chose to exposed themselves to the site. They made a risk calculation and found themselves on the wrong side of probability. The politics, and the consequences thereof have nothing to do with it.
Victim blaming in some circumstances is very much appropriate. If you jump into shark infested waters with bloody raw meat strapped to you, then you are at least in part to blame when you become lunch. It is shameful that the shark infested environment exists in the first place, but at the same time the person chose to jump in and offer themselves as the tasty morsel.
Life is a healthy respect for mother nature laced with greed.