The cynic in me says they would have just let people die rather than not be able to bill them. But the realist in me knows that it took them a year to bill me for an ER visit, so it's just that no one knows what anyone else is doing.
All that aside, it's disturbing that they had no clue anything at all had gone wrong until 19 days after intrusion. We're never going to get a real post-mortem on this one unless Morgan & Morgan drags it out of them in open court, but that's pretty damn long. Usually these attacks are either very quickor very deliberate. In the latter case, often they gain access to one account, which may or may not be terribly over-privileged, and then move laterally, discovering other services, accounts, and level of access. It's very tricky, very professional, and very smart. And sometimes it's based on vulnerabilities that aren't publicly known. In outer words, if that happens, you're kinda fucked and this type of response is the best you can hope for.
There's always more security you can implement, and there are always things you could have done better. I'm pissed about them giving up my info, but I work in this field and I know how damn hard it is to do better. I'm not cheerleading for them, but coulda been worse, I guess?