Based on news stories, it seems to me that the vast majority of data breaches, and the ones that the most massive in scale, are the result of inadequate role based security. That's what happened with the NSA and military breaches.

Where I work, the permissions for service accounts or domain groups are segmented into roles based on least set of privillages required for their function. We also implement symmetric key encryption on PHI columns, so even those accounts with direct access to tables (like DBAs or BI reporting) can't see actual SSN, address, phone, etc.