[chclt]

The people affected by the drug trade are not affected by the act of selling drugs but by secondary crimes (which arise because selling drugs is illegal and vendors cannot take advantage of the legal framework).

Also the people affected by this incident alone number in the millions.

[donatj]

The harm of data loss is entirely the harm caused by secondary bad actors.

No ones life is directly injured because of a data leak. It's just data, it is entirely inert on it's own. Their life is injured entirely because of what third parties do with that data.

If data leaked and there were no bad actors in the world, there would be zero harm.

[p1esk]

How many people will die or have their lives destroyed because of this incident?

[chclt]

As a sibling comment to mine points out, people who "die or have their life destroyed" is simply one way to define victim in this context.

With mental health data being at stake here, the amount of victims under this definition could also very well be non-zero.

Anyway there are a lot of crimes, that don't produce those kind of victims. If I mug someone and don't kill them or destroy their life in the process, have I not commited a crime?

The privacy infringement here is an obvious damage to the dignity of everyone affected. Wouldn't you feel victimized if I listened in on you speaking with your doctor, wrote everything down, stamped your name, address, and date of birth on it and started giving out copies of the resulting paper to random people? Which is exactly whats happening here, except my example is more harmless by a factor of a few million people and has a lot fewer data points.

[p1esk]

Wouldn't you feel victimized if I listened in on you speaking with your doctor, wrote everything down, stamped your name, address, and date of birth on it and started giving out copies of the resulting paper to random people?

I would. I would also feel victimized if you mugged me (without killing me or hurting me physically). The question we are debating here is - should you be punished equally harshly in this two scenarios? I'm leaning towards "no". If you disagree I would like to understand your reasoning.

[gameman144]

Scope of impact is important here.

A doctor who reveals some information on one of their patients should be treated less harshly then a mugger of one person.

A mugger who robs ten people should be treated more harshly than a mugger who robs one person.

A doctor/company who reveals thousands of patients' information can reasonably treated more harshly than a mugger of ten people, because the absolute negative impact may be greater.

[p1esk]

OK, this is a good point. Still, you're comparing an act of hurting people to an act of potentially hurting people. An investigation into the harm done by private data sales would be helpful.