The defense, especially in medical malpractice cases, may be routinely violating HIPAA. When a doctor gives medical information to a "business associate" (which should include their defense attorneys), they have to meet HIPAA requirements. If they don't, they can be subject to civil and criminal sanctions-or at least deserve to be roundly embarrassed on the witness stand.
When your client signs the necessary medical releases, narrow the releases as much as possible. Require that the released information not be shared without your client's further permission.