((Animalia and her sister))
I think you're right. And frankly, I'm WAY surprised that the pastor did this without asking you.
Unless you have a history with him that suggests otherwise, I'd probably give the pastor the benefit of the doubt (once) about this being an honest mistake. If he and the church are otherwise important to your sister and your family, I don't know that it's necessary to block him -- but if you don't, I'd make it clear that you expect him to keep Sis's medical info private from now on, even if he's seen it on FB. It's entirely possible to send a prayer request without going into detail -- "please remember Animalia'sSister in prayer" or (if you're OK with this "please pray for Animalia'sSister, who's ill/ in the hospital." (Can you tell my church & pastor do this all the time?)
Seriously, if nothing else, the pastor needs to know he's on thin ice. In the US, at least, clergy aren't explicitly covered by HIPAA, but psychologists are, and especially if he's passing this info around electronically, it could get him in trouble (with his superiors and congregation, if not legally).