Not all of the various silos within evilCorp structure knows what the others are doing, if even the groups within the same silos know what is going on.
It's inexcusable, honestly. These are the kind of decisions that not only need department head approval but also CTO approval. If the CTO didn't see it coming, they failed.
HIPAA isn't some random cert you have to satisfy a single big customer. It needs to be a priority and all business decisions have to be made around it. GDPR is another one.