Oversight is Inevitable, So Prepare Accordingly
Of course CHS would like to believe it was a sophisticated attack and perhaps it was. However, the idea that it was an unaccounted for connected test server seems very plausible.
If it was indeed a connected test server, its very easy with 20/20 hindsight to say this breach could have been prevented. In my opinion that's an unsuccessful security posture.
I think its better to assume things will fall through the cracks and prepare accordingly. We've conducted many large scale studies into the frequency of rogue digital assets tied to brands, like rouge web infrastructure, unknown websites/apps on or off domain/ASN, rouge mobile apps., etc.
Its across the board in every type of organization, in all industries, that something belonging to them exists that's connected to the Internet, that is unknown and thus outside the scope of a given organization's security program.
At first glance this gap may appear harmless, but its now leading to data breaches large and small because so much valuable data is being collected and stored in so many different ways.