Just out of curiosity what would changing all of my important account logins achieve if the leak was a healthcare provider that doesn't have anything other than my medical history and insurance card (I never sign up for "patient portals" and the like.)? Not trying to go against what you're saying as I already do most of what you're recommending there. In fact I actively avoid 2FA by SMS in favor of Authentication apps (such as Aegis), and use a password manager to randomly generate all my logins.