With such sensitive information they should really avoid CC/BCC and do it manually, or write a script for sending 1 email at a time. Not because CC/BCC is bad, but because you want to be 100% sure to dodge this kind of problems.
That'll be part of why they got the fine. One component of gdpr is taking reasonable steps to avoid leaking personal data, and as you pointed out relying on someone remembering to bcc rather than cc is asking for trouble.
Not just that. Health data is considered especially sensitive by the GDPR, so sharing it is a more serious transgression than simply sharing personally identifiable information in general.
