It actually doesn’t work like that. It’s very likely Ardent have an underwriter for cyber insurance that will cover the costs of closing the breach and recovering data. Ardent will be accountable to some state or federal Office of Civil Rights for fines related to any data disclosure occurring as a result of the breach. Ardent can’t pass the costs on to healthcare insurers, or those carriers will drop Ardent facilities from their provider networks. Patients are unlikely to see increases in their healthcare costs as a result of this breach.

The healthcare industry is indeed a proper mess, and its for-profit nature is rife with conflicts of interest. Their IT organizations are indeed chronically understaffed and underfunded, but there is still regulatory diligence that must be maintained or states will revoke certifications and licenses to practice.

Source: I work in a healthcare adjacent organization, and have supported cleaning up breaches in healthcare. I know folks across several IT provider networks’ teams. They are generally competent, engaged and reasonably savvy about things. Of course there are exceptions and not all shops are the same, but from my experience IT in healthcare is generally competent. Usually these things are the result of a practitioner or hospital admin getting spear phished.