There's no way of telling who did it. From past similar incidents, it is LESS likely to be a member of the treatment team, and more likely to be someone who figured out how to access the medical records, but who would not have had permission to do so. Keep in mind that most hospitals use EMRs now, so if that hospital used an EMR, the perpetrator would just have to bring a thumb drive or stick and download the folder into it. It could all be done rather quickly, I am sorry to say.
However- all EMRs that I have ever used also establish a trail of who accessed the system and their passwords. That doesn't necessarily make them able to catch the thief of Schumacher's records, who will have tried to cvoer their trail, but it does allow them to figure out which computer terminal was used to do it, and when it occurred, more than likely. Most hospitals also have cameras in them- I know that the one I work in does, because there was an incident a few years ago and several staff were fired over it. So there is a fairly good chance that the person or persons who did this will be caught.
When they get caught, the law should be applied to the fullest extent of the possible penalty. Stealing someone's medical records is loathsome. There is no excuse possible. There is NO "public right to know" or any of that crap. It is stealing, for money, and nothing else, and an inexcusable invasion of a sick person's privacy and dignity. Years in prison would be too little.