My Tuppence Worth
As others have said, the data shouldn't have left the hospital in the first place. At the medical facility I consult at, all PHI data resides on the database servers. Access internally is via thin clients. If someone needs to access data from home or from a laptop, they have to establish a VPN connection first.
The only time PHI leaves the facility is on encrypted back up tapes.
At the end of the day, it's not rocket science.