There are several ways to get rid of these emails. You can delete them completely from the system, utilize data shredding, and/or train employees on how to safely remove these emails, among other strategies.
There are several steps to take in this scenario. These include but are not limited to containing and fixing the breach, investigating what happened, notifying security and legal teams, telling affected parties, alerting the Office for Civil Rights (if more than 500 people were impacted), and implementing new policies to prevent it from happening again.