What could a data breach cost you?
A single breach is rarely “just IT.” Put in your numbers to see illustrative ranges — response costs and the legal exposure that can follow — for an office your size, under the rules that actually apply to you. Illustrative only — not legal advice.
Your numbers
“Records” counts cumulatively — everyone whose data you’ve ever stored, not just active this year. Old files still count in a breach.
Illustrative exposure
Illustrative estimate only — not legal advice, not a prediction, not a quote, and not a guarantee. Simon Says Systems is an IT and security services company, not a law firm, and does not provide legal advice. This tool multiplies published per-record and per-violation figures by a number you enter to show a hypothetical worst-case range; real-world liability is almost always far lower and depends on the specific facts, your security controls and defenses, whether data was encrypted, certification of any class, and regulator and court discretion. Figures reference California CMIA nominal damages of $1,000 per individual (Civ. Code §56.36(b)) — which, per the California Supreme Court (2026), requires showing data faced a significant risk of unauthorized access and is not automatic; CMIA civil penalties of $2,500–$250,000 per violation (§56.36(c)); federal HIPAA civil penalties effective Jan 28, 2026 ($145–$2,190,294 per violation; $2,190,294 annual cap); and the FTC maximum civil penalty of $53,088 per violation. No figure here is a statement of what you owe. For any actual assessment of your exposure, consult qualified legal counsel.
Most of that exposure is preventable — and far cheaper to prevent.
Encryption, MFA, backups, monitoring and the documentation that proves it. Book a free 20-minute check — no obligation, and we never ask for patient or client information.