MAJOR violation of patients' privacy. HIPPA and PHI were the first issues at hand that I thought of. And you are right, both present an excellent opportunity to go after these individuals as well as the government. Action should be initiated immediately by those on the list that are U.S. citizens. However, I addressed the points of access and responsibility so that the information gets out there and to disprove the officials' statements that they are going to 'investigate', as if it would take ages to track the people responsible for this. It is all digitized and logged by user id. On a second note, many state laws are not pre-empted by HIPPA (such as the ones covering minors with regards to sexual health and pregnancy) and thus take precedent. However, privacy protection is enforced by both state and federal law. As far as I've seen, no medical information about the individuals has been disclosed to unauthorized parties, but the demographic information was most likely disclosed by an employee (s).

Examples of disclosures for treatment, payment and health operations:

To a nurse, physician or other member of your health care team
third-party payer
business associates
research
funeral directors
Organ Procurement Organizations
Food and Drug Administration (FDA)
Workers Compensation
Public Health
Law Enforcement

And many others...