I very much empathize with you. It sounds to me as though you are the primary caregiver, and I've been there myself.
I suggest that you send a letter to the surgeon by certified mail, return receipt requested, possibly by overnight mail, telling him to immediately stop sharing information with the friend. You can tell the surgeon in the letter that you will file a HIPAA complaint if he continues violating your Dad's privacy in this manner.
Before you write this letter, please visit this excellent website on HIPAA: http://www.hhs.gov/ocr/hipaa/
I'd especially like you to read this item, which is the second item down on the front page: When Providers May Communicate About You with Your Family, Friends, or Others Involved in Your Care to see whether any of the exceptions apply.
Since your father was going to give you POA but now can't, you should consider whether or not to start guardianship (conservatorship) procedures. Guardianship will give you the right to make decisions on your father's behalf.
I do suggest, from experience, however, that all the family members be involved in all decision-making regarding your father--perhaps also including whether or not you write a letter to the surgeon. This is the time for all of you to pull together.
Please write back if you'd like to discuss this some more. I'll be available all weekend long.