Shamir’s Secret Sharing
This isn’t rocket science, we mostly solved this risk a long time ago. There is no reason not to escrow parts of keys so that sensitive data which doesn’t need to be accessed constantly is always unintelligible to attackers by default.
Not to blame the actual victims (the patients) but the clinic deserves every bit of blame it gets here.