The riskiness of a security or privacy breach is far more than just the number of records involved. There are countless examples of hospitals and hospital chains that suffered millions in losses because of breaches involving a small amount of records.
A great example of this risk just recently occurred. A large and well-managed chain of hospitals, with adequate protocols and controls was slapped with a multi-million dollar lawsuit. The highlight of this example is not the lawsuit itself, but the fact that the lawsuit stemmed from two different and unrelated 1-record breaches. One record was exposed to a party who it was not supposed to be exposed to and the result was millions of dollars in costs for this company. These costs are only related to litigation.
Several other tangible and intangible costs were incurred for regulatory non-compliance, reputational damage, firm disruption, etc. Firms that aren’t properly prepared to manage a breach leave themselves very susceptible to this risk.