Private health data was compromised as well, on a smaller scale. It doesn’t make sense to blame users for a security breach of a corporation, literally ever. That’s my point. The friend was dumb, and you shared something maybe you shouldn’t have. But that doesn’t also absolve the company of poor security practices. I very strongly doubt that 14,000 people knew or consciously chose to directly share with a collective 7 million people.