Simply WTF. If nothing else but "names, birthdays, medical IDs/social security numbers" would've been stolen, that in itself would've been much more then acceptable. Hell, one would expect the most sensitive data of people would be more protected... At the very least, the company should cover IDtheft protection expenses for _all_, for at least a year, maybe more. Plus, they should be fined, with such a large amount that they'd get scared, and start implementing _real_ data protection policies. Yeah, you wish...
At companies and agencies handling such data, _all_ kinds of data leaks or thefts should be treated as criminal offenses and they should be punished, I mean really punished. If you can't handle the protection of the data, don't handle them in the first place.
While I also consider the thieves to be criminals, I'm more angry with those, who simply are inept to protect their best assets, even more so since they have the money, manpower and resources to do so.
Also, I'd like to see a national blacklist established, with all companies and agencies on it, who had similar massive data breaches, and made publicly available, so as everyone could judge and decide whether they'd like to entrust their data to such idiots.