>This is similar to a HIPAA "breach"

It's not, at all. The FB API was designed to give out this information before it was changed. That means the friend data was not need-to-know like healthcare data.