It should be criminal not civil. Nothing but pure incompetence. Remote access to a level 1 system, no use of dual factor authentication. No web front end sitting in a DMZ and appropriate network infrastructure/firewalls blocking access to the backend database. No IDS/IPS, no monitoring, no auditing. Faking or ignoring a C&A audit.
My security+ cert tell me that is ought to be a criminal matter.