EVERYBODY involved with the leaking of personal information has violated the HIPAA Law. Arrest them.
Actually, it's not just HIPPA. I believe that if you take credit card payments on a website, the entire system has to be PCI DSS (Payment Card Industry Data Security Standard) compliant. Otherwise, the major payment card vendors will not allow you access to their financial networks.
If the government were to force these vendors to abandon their own security standards, then we've got a real problem here.