[lmkg]

It depends on the jurisdiction and law, but a "data breach" is when data is accessed by a party who is not authorized, or who should not be authorized. It's not just hackers. Sending data to the wrong recipient is a form of data breach. Under some definitions, sending data to the intended recipient without appropriate safeguard is a form of data breach.

In this case, health care data covered by HIPAA was sent to a party without a legal contract that extends HIPAA to the receiving party. By law, that's a data breach.

Under some legal definitions, "data breach" includes not just breakdowns of confidentiality, but also of availability and/or integrity. So a company deleting your data by accident would be considered a data breach, even though it's being accessed by fewer parties than intended. This can be important: imagine a bank or credit agency losing some or all of the data about you, this would materially impact your ability to do business in the modern world.