This company is just asking for a lawsuit. Medical information should NEVER be on any network, ever. Having said that, if they won't put it on a backup and on a machine in HR's office, it should be put into a password protected crypto-luks or pgp style container.
The users who are simply using the network at lunch break or who are doing work on their own devices aren't at fault. Having that data hanging out there is 100% of the company's fault.
At least put the offending data on its own subnet. Another thing you can do is to use 2 routers off of the connection. One for high security DMZ type of network data, another for normal use. This is having 2 networks instead of one.
Keep Up with TechRepublic