*Raises hand*

As Eg said, in a perfect world, they'd all be liable. Here's my breakdown of the liability:

Professor -> Did not disclose vulnerability to manufacturer, provided tool to students to exploit that vulnerability
Student -> As a security student, should've been intelligent enough to at least encrypt the tool, or better yet, keep it off the net in the first place
Script Kiddie-> Disseminated tool
Johnny -> Wrote a worm in a non-quarantined network (i.e NOT connected to the internet)
Mallory -> Broke in to a system
Alice -> Unsecure system
Hospital SysAdmin -> Put database on system which is accessable from the Internet, did not secure system
Doctor -> Should have a hard copy of patient record

In the "real world," I would suppose it would depend on how far back the issue could be tracked. If no one bothered to look in to WHY the doctor gave a med that the patient was allergic to, then he'd probably bear the brunt of legal responsibility. Because of bueaurocracy, I would say that the highest up the ladder that anyone would bother investigating is the hospital SysAdmin.