Thanks for making me think. I tend to agree that this case isn't the best one to provide a clear model of financial liability, because as you eloquently point out, the damage here isn't the sort that gets a sympathetic hearing for financial liability. However there is an expectation of privacy, and that has been violated because the AM site didn't make a decent attempt at security, and for that it deserves to be punished.
A more general case arises over medical data, or data that would enable identity theft. In the case of medical - or indeed legal - data, there is a very strong presumption of confidentiality because that is at the heart of what those professions are about. I need to be able to trust those professionals in order to enable me to benefit from their services. If I'm not confident what I tell my doctor will stay private, I'm liable to edit what I tell him - and end up with the wrong diagnosis. Whilst it may be difficult to identify specific damage from a particular data loss, the overall effect of destroying confidentiality would be very serious. To the extent that this fiasco chips away at that real trust, it has a far wider significance than a 'financial' calculation points to.