While it doesn't apply in this particular case, for healthcare organizations the HIPAA privacy rule implies a legal responsibility to lock out terminated employees from any access to protected health information.
That doesn't absolve an employee (or ex-employee) of the covered entity going about and abusing the access they do have.
That doesn't absolve an employee (or ex-employee) of the covered entity going about and abusing the access they do have.