If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?
You shouldn't know,and you're supposed to treat them like the bad guys.
How do you know that their machines haven't been hacked, and that ALL of the penetration attempts are actually tests?
If you talked to them on a phone rather than face-to-face at THEIR office (or even then), how do you know the person you talked to is actually a security guy or I.T. administrator at the hospital and not a freelance cracker, identity thief, spy, or even an assassin going after a patient? If somebody cracked, say, an VoIP. phone system, they could intercept your complaints and tell you it was standard operating procedure and to ignore such attacks.
Even if they are what they claim to be and ALL the attacks are from them, by telling you it's just a test, you should ignore it, and continuing to "test" you, they've just TOLD YOU TO IGNORE ATTACKS. If you do, you FAIL.
IMHO (IANAL) you MUST attempt to halt the attacks and treat them as real or you are in violation of HIPAA.