It likely fell under a permitted disclosure, as the AG stated they were pursuing a billing fraud investigation. Maybe still a case, if the disclosure was unnecessarily broad though.
Per Health and Human Services:
Health Oversight Activities. Covered entities may disclose protected health information to health oversight agencies (as defined in the Rule) for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.
It likely fell under a permitted disclosure, as the AG stated they were pursuing a billing fraud investigation. Maybe still a case, if the disclosure was unnecessarily broad though.
Per Health and Human Services:
Health Oversight Activities. Covered entities may disclose protected health information to health oversight agencies (as defined in the Rule) for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html