Duke fined $10M for cybersecurity lapses since 2015