According to Verizon the average insider-sponsored data breach nets the attacker 100,000 records. This is considerably more than attacks from other vectors (outsiders & partners), which makes sense if only from a bandwidth perspective.
Interesting though it is to read about, Spire Security makes the point that multiplying %of attacks by #of records stolen to calculate pseudo-risk (likelihood x impact) isn’t especially useful. (Unlike him, I’m more inclined to forgive the base rate fallacy problem since the solution shouldn’t be to change the structure of a business’ affairs.)
I think the major flaw in calculating risk is that there is so much variety in how you can calculate the impact. If stealing 100,000 records means taking the company directory, it’s relatively benign: in fact taking so many records might be a symptom of not knowing what they want to take.
And copying 8 million prescriptions is less bad than deleting them, which is itself less bad than altering some of them to be fatal.