Breathing air in the street is harmful, but until you can show the damage done by it, there is no actual harm been done. — Sir2u

No ... it's harmful, as is your premise.

Proving it is harmful, how harmful it is exactly, who's causing the air to be harmful, what the law should do, if anything, about this harmful air, would be different questions.

In order to show the air does damage the air must be already harmful in order to be able to show that.

I assume, to introduce another premise, you're thinking of pollution that people are generally not aware is harmful and therefore no one is liable for the damages caused until someone "proves" it is harmful.

If so, that is not a correct understanding of the law anyways, but is not applicable to this case of privacy.

We know invasion of privacy is harmful, why it's illegal. The damages caused by the harm are psychological distress of feelings of violation and placing the victim at risk of further crime (which is more psychological harm as well as enabling those actual additional harms).

Although awareness of the invasion of privacy is required for that harm "to be felt", that is not a condition for the crime of invasion of privacy.

In the same way that if I punch you in the face while you're in a coma, "that you didn't feel it" would not be a defence for the crime of assault; likewise, if I poison you but you'll only die next year, there is no need for everyone to wait for next year for me to be charged with poisoning you: "Wait! Wait! I have a year before he dies! You've got the right man at the wrong time! I need to do my bucket list, poisoning a guy was only number 7, so I used a clever delay!" is not a legal defence for poisoning in order to delay charges and trials.

The possibility is always there, like the trees killing people in parks these last few weeks, but until you can show that there is ACTUAL harm done by the things you explain in your theory nothing has happened. — Sir2u

If you're now talking about the OP, breaching people's data integrity is in itself harmful. Putting people at unnecessary risk of harm is itself harmful, which is why reckless endangerment is a crime. If you shoot arrows into a crowd and happen not to hit anyone: no harm done, still a crime.

Compromising people's data recklessly is basically a form of reckless endangerment, but since the world of data is complicated there's whole laws dedicated to the issue. In the US the law concerned would be mainly HIPAA (as medical information is involved) whereas in Europe the GDPR is the general regulation that covers all personal data and there's even stricter requirements for both medical and child information, as well as other laws and regulations that may apply.

These particular data security vulnerabilities (enabling spoofing of a domain that puts people at risk if it is spoofed, shady data processing on parallel domains, and non-transparent ownership of domains) have already been ruled by European courts as "inappropriate security" (as is common sense), which is the catch all term for what you are not supposed to do under the GDPR while handling people's data.