I've heard there are a couple Google Ventures - backed healthcare startups that have questionable HIPAA-compliance as well, directly from clients that have worked with them. They're not necessarily holes in GCP itself but rather in integrations with certain services.
