Staff need to be able to access patient data for them to care effectively.
But what happens to that access when a member of staff leaves, or they change roles and no longer need that same access that they had previously?
If permissions are not removed, then the employee could still access this data, even after they have left the company, leading to a data breach.
Although this might not cause any problems as the employee never tries to access the data, what happens if the ex-employee is disgruntled and wants to do something to bring your company into disrepute?
If that employee has weak passwords, such as using the same password across multiple sites, and this password becomes known to criminals through a data breach at a different company, then that criminal might try the same credentials in your network.