I feel this information should be actionable on our part.

Should we be notifying a specific medicaid state office where this leak originated?

The employee (and I say employee because it is most likely a single person) who leaked this presents a major breach of HIPAA (The health insurance portability and accountability act) by leaking PHI (private health information). This has serious legal repercussions.

If we don't regulate, who will