If you touch any personal information in any way (let alone medical), touching any known compromised system without very clear documentation of how the compromise happened, how it was resolved, and very clear process changes to make sure it doesn't happen again should be a massive fine per user you service, plus treble actual damages. It's gross negligence.
Having clear documentation of an attack isn't red tape. It's the absolute bare minimum.