In the "wow, that sounds bad" category, the University of Florida announced on November 12 that on October 3, they discovered that 333,000 unencrypted records for patients at the college of dentistry had been potentially accessed by unauthorized individuals. To make matters worse, the breach itself was caused when malware was remotely installed on the University's system. To make matters even worse, the malware was only discovered during a server upgrade (rather than, say, because the University's system detected and prevented installation of the malware). So, to recap, the facts (as set forth in this article from Computer World) are: (1) more than a quarter million records exposed; (2) notification takes more than a month after discovery; (3) records were patient records; (4) that were kept unencrypted; (5) on a system which was vulnerable to remote installation of malware; and (6) no automated security systems detected the remotely installed software.
Now, as it happens, I've presented the facts in such a way as to accentuate the negative, and I've done so to make a point: you aren't as protected as you think. While I don't know all the facts about this breach, simply from the facts I do know, it's not clear that any laws were broken either before or after the breach took place (other than the remote installation of the malware, of course). The HIPAA security standard regarding encryption (45 CFR 164.312(a)(2)(iv)) states that encryption of data is an addressable standard, not a required one. Similarly, Florida's security breach notification act gives a 45 day period for when notice can take place, so the month+ delay in this case could be (and, according to a spokesman, actually is) within Florida's law. Of course, even if there had been flagrant violations of both HIPAA and Florida's notification law, that wouldn't make much difference to the individuals whose information was exposed. Neither HIPAA nor Florida's law provides for a private right of action.
The bottom line? Laws relating to privacy and information security aren't as comprehensive or as effective as consumers may think. If people really want legal protection for their personal information, they should work to get new laws passed, not simply rely on the laws on the books. Otherwise, they could be in for a sad surprise when and if they try to go to court for redress when their own information is exposed.