In the US, HIPAA https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act would have applied. The Feds would Not Have Been Amused. As far as I can see, m'girl would, at the least, have been liable for up to US$50,000 per offense to a max of $1,500,000. Or, if the judge wanted to heave the book at her (and he'd be a federal judge, they just love to throw the book, have a nice lapdog prosecutor go and retrieve it, and then throw it again) a fine of $50,000 per offense plus one year per offense ranging up to $250,000 per offense and 10 years in a federal pokey per offense, should the judge feel that there was an attempt to 'use individually identifiable health information for commercial advantage, personal gain or malicious harm'. That 231 offenses. If she gossiped about even one, that's malicious harm, and she's looking at up to $250,000 and 10 years times 231. In the real world even the feds don't go for the max unless you piss them off, but they can if they want to.
M'girl got off lightly.
There is a reason why some people refuse to do any work involving health info. HIPAA has very big, very sharp, teeth, and the feds deploy it with fell intent. https://www.medprodisposal.com/20-catastrophic-hipaa-violation-cases-to-open-your-eyes Note that several of those cases involve people who did less than what m'girl did, and got seriously hammered.