Perhaps true, but the strongest privacy protections in the US are still pretty weak. The biggest penalty I know of is Anthem 2018, where they leaked HIPAA-qualifying records on 80 million customers. Their financial penalty was a whopping... $16 million. Two dimes per affected customer!
It's true that the US rarely penalizes corporations enough to really disincentivize things, but healthcare providers probably take client data security more seriously than just about any other group besides maybe law firms. It's weird to single them out as being particularly unconcerned with and unpenalized for leaks.
