You say that you are "connected to" the network but you don't say what this relationship actually is. If you are hosted by the hospital (i.e. actually part of their network), then they may have an information security department who is checking all the hosts that are on their network. This may or may not be part of the contract, either as a service provided or something that is required by the contract or hosting arrangement.
If you are not actually part of their network or hosted by them, there may still be something in the contracts that says that they can do this sort of penetration testing with partner companies. It isn't the best idea to accept this as a contract term, but I have seen it requested before and it may have been in there with nobody to notice it.
I would say that whoever handles the arrangement with the hospital should probably talk with their counterpart on the hospital's side about this and learn more about why it is happening and what is done with the information.
With respect to the various posts that have/will happen about HIPAA, I would say that it's totally possible (and desirable) to have a proactive information security policy that can still comply with regulations. Proactive penetration testing is not prohibited.