Disclosure: I was one of the victims of this breach. Happily, my bank caught it and called to ask if it was really me who'd bought those gift cards at Wal-Mart.
mod parent + insightful, for truer words were never spoken. Seriously, someone should have gone to jail for being so negligent with sensitive information like that, and no, it almost certainly was not anyone whose job it was to see to such things. It was, most likely, someone with budget control over that department who "...didn't see the value in being so paranoid about security..."
Look, TJX is still in business, so $41 million probably didn't hurt enough to make that a lesson that would be learned by other businesses. If the negligence had ruined TJX, and landed some VP asses in jail, things would be different. But it didn't, and they're still not.
Maybe there should be a "terms and conditions" document that business, hospitals, anyone who collects and stores sensitive information, should have to sign each time the collect such information, acknowledging their responsibility to safeguard it. Maybe "putting it in writing" every time they add to the database would at least make the legal department take notice.