>Facebook chose to pool the data they received from customers and allow its use by others, so they are also responsible for the outcomes.

"chose" is doing a lot of the heavy lifting here. Suppose you ran a Mastodon server and it turned out some people were using it to share revenge porn unbeknownst to you. Suppose further that they did it in a way that didn't make it easily detectable by you (eg. they did it in DMs/group chats). Sure, you can dump out the database and pore over everything just to be sure, but it's not like you're going to notice it day to day. If a few months later the revenge porn ring got busted should you be charged with "intentionally eavesdropping" on revenge porn or whatever? After all, to some extent, you "chose" to run the Mastodon server.

Transmitting messages between users is a functional property of Mastodon that is of course visible and valuable to the users. Transmitting protected health data from Flo users to anyone with a dollar to buy some ads is not a functional property of Flo itself or a mobile ad product, and likely surprising to both Flo and Flo's users. Facebook has discretion on how they use that data. If this is a rare and unavoidable consequence of their business model Facebook should be comfortable paying the settlements as judgements occur.