It's a bit more complicated than that. The real story is a combination of:

1. US health care privacy law (primarily HIPAA) has an "analog hole" of sorts. Basically, the security rules around phone/fax communications are far simpler and easier (and thus cheaper!) to comply with than the rules around things like digital networking. So people look at this, see that faxing things and then scanning them (or even paying people to do manual data entry) is cheaper than using more modern techniques and incurring compliance costs for the stricter security rules.

2. Doctors don't upgrade technology unless they have to. New systems cost money, and they don't want to spend money. Fax machines are established, understood, cheap. And they are actually one of the least scary things about the health system -- you don't want to know how many doctors are managing their records and interacting with insurance websites through IE on Windows XP, or even worse setups.

3. For all the crap you might throw at faxing as a way to do things, you have to admit it's easy. Electronic health record systems are a nightmare of badly-specified, horrendously complicated formats that no two vendors ever implement the same way. When consumers of electronic records, like insurers, sign up for clearing-house services a good bit of what they're paying for is getting to make this someone else's problem.

Security by obscurity isn't military grade security but it's a lot better than insecurity by non-obscurity if those are your only two options.

Sure, but it's incredibly rare that such a neat dichotomy exists. In reality, there are plenty of alternatives, yet we stick to ones we perceive as more secure. I've heard the argument that fax is preferred over email because "you can just edit an email", and this highlights the issue. The difficulty bar is raised just a tiny bit for fax, yet the scrutiny is dropped right down.