As I thought about you looking up those folks, I took it from the perspective that those people could now also have your info. I don't think wanting to know who might have your info is unethical or "wrong." (In full disclosure, I didn't finish my doc program in ethics, so what do I know compared to some therapist attributing "wrongness" as she should be sitting firmly in her own "wrongness." Talk about a great example of a T throwing her crap on a client.) If she knew Skype wasn't compliant, the breach sits firmly on her shoulders. She may not have known the details, but she knew it was a no-no. Using a noncompliant system previously doesn't mean it should have continued. At the least, it seems professionally irresponsible to me.