For you and me. There’s a yearly cap per violation that’s capped at $1.5MM. This entire incident would be counted as one violation with multiple records. This is assuming they get fined in the first place.
Or the cost to employ a handful of security engineers.
Note: I am not a subject matter expert and this is based on my chat with a lawyer who did HIPAA consulting on a medical app I used to work on.