They almost certainly did not. They likely just hired a cheap contractor to get their service up, and went with it when "it worked".

The contractor (who was certainly incompetent) probably looked at a bunch of nightmarishly complex identity API's and said "F** it!", combine that with being grossly underpaid and you get stuff like this.

It's a bad situation, of course, and involving threatening lawyers makes it even more ugly. But I can understand how a very small business (knowing nothing about IT other that what their incompetent contractor told them) might get really offended and scared shitless by some rando giving them a 30-day deadline, reporting them to authorities, and demanding that they contact all affected customers.

Sure they might get rightfully scared because their neglect caused potential issues for their customers and having that public might decrease revenue.

But that is ok I think. They should get scared enough to not risk such a neglect again

How is an insurance company a SaaS?

Most likely, the insurance company handles the actually insurance policies, claims, payouts, etc themselves, but uses a contractor to build their website, user portals, etc.

Survival (post diving accident) as a Service