Shielding the physician name from public notification supports the failure to protect personal patient info. A HIPAA fine would be appropriate here too. Public shame and pocketbook hit from outside the facility would have more influence. The minimum HIPAA fine is $100 per violation, up to $25,000.
There are no laws requiring disclosure of guilty parties, only disclosure of the incident. In many cases, the organization’s CISO will act as the whipping boy/girl for the incident, but I’ve not seen them come forward either. Barring a FOIA request, I don’t think they’re required to disclose payment of fines under HIPAA either.