The CEO of a Georgia-based orthopedic clinic told his patients in the wake of a breach last week that the company cannot survive if it pays for credit monitoring services for each of the 200,000 people affected.
"Of course, [patients] wish we could pay for extended credit monitoring," Athens Orthopedic Clinic CEO Kayo Elliott said in the statement. "So do we. We truly regret that we are unable to do so, as we are not able spend the many millions of dollars it would cost us to pay for credit monitoring for nearly 200,000 patients and keep Athens Orthopedic as a viable business. I recognize and am truly sorry for the position this puts our patients in."
These costs, of course, are on top of what it will cost to improve the security of the clinic's network. Athens Orthopedic Clinic (AOC) was hacked on June 14, according to the company. But AOC did not discover the breach until June 27. By then, hackers had made off with 200,000 records for current and former patients, including names, addresses, Social Security numbers, birth dates, telephone numbers, diagnoses and medical histories.
Elliott acknowledged in a statement that many patients were upset and frustrated. In fact, a few law firms are exploring the possibility of a class-action suit, another offshoot of the breach that could spell financial ruin.
While Elliott's message is harsh and honest, it isn't the first nor is it the last time a small business will face the same choice. Breach related costs can soar, especially in health care where the average cost of a breach is $398 per record, according to the Ponemon Institute's 2015 data breach study.
That would represent $79 million in breach costs for AOC.
Large companies such as Target are typically able to absorb such costs and keep moving often firing key employees to show changes are being made.
In Dec. 2013, Target reported hackers made off with the personal information of 70 million of its customers. Target absorbed $252 million in gross breach-related expenses between 2013 and 2015, according to its SEC report.
In fiscal 2014, the year after the breach, Target's full-year comparable sales grew 1.3 percent and digital channel were up more than 30 percent, according to SEC reports. Target also paid dividends of $1.2 billion in fiscal 2014, an increase of 19.8 percent above 2013.
In the company's March 2014 SEC fiscal-year filing, Target said that in order to limit exposure to data breach losses the company maintains $100 million of network-security insurance coverage with a $10 million deductible.
While Target and the AOC are in different revenue spheres and business sectors, their breach reports read the same: A hacker infiltrated their network using a credential stolen from a third-party vendor.
While the hacks may be the same, the consequences are not.
Small businesses are routinely finding themselves victims of hackers. Sixty percent of all online attacks in 2014 targeted small and midsize businesses, Timothy Francis, enterprise leader of cyber insurance at Travelers, told the New York Times in January. Ransomware is a popular attack.
And these statistics are not comforting to end users who know their personal information is sitting in the databases of companies that may not have the aptitude to protect it or the financial means to defend their customers in the event of a breach. Stolen information is often used to make fraudulent claims for health care services, or open credit accounts, both of which can cause years of anguish for breach victims.
While Athens Orthopedic Clinic CEO Elliott is one of the first to make such a public pronouncement of a company's post-breach financial predicament, the death by breach scenario is real, and it's only going to get worse for companies who don't investigate ways to protect themselves