I'm not well versed in Finnish law - but in the USA simply the act of accessing a computer without authorization, even if it not secured, can be a crime under the CFAA. So the company is still a victim, and obviously the patients as well, even if they are incompetent. For the same reason that a person that gets burgled because they left their door unlocked when they left the house is still a victim.
But if you attest that your computer system is not accessible by any passersby in order to pass compliance, is that not also a crime? If it is indeed accessible to just anyone? HIPAA law violations and all that
I’m not arguing the person who stole didn’t commit a crime - just a lesser one than actually breaking in, cracking a safe, and making off with the jewels. I think the CEO and executive staff are culpable.