top of page
Search

Doppel Charges $200K to Suppress the $30K Warning. Medtronic's Disclosure Exposure Is $295M. The Brand-Protection Math Inverted in December 2023.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 5 hours ago
  • 9 min read

May 6, 2026 · DugganUSA LLC


This morning Doppel sent us a trademark takedown demand against the post warning Medtronic about the breach Microsoft Security Response Center confirmed three days ago. We covered the legal absurdity in the first post. This one is about the money.


After running the receipts on Doppel's funding history, their published customer list, our own feed pricing, R.R. Donnelley's $2.125M SEC settlement, HIPAA Tier 4 caps, the ShinyHunters 9 million record claim against Medtronic, and the existing class-action exposure curves on cyber incidents, here is the picture in one paragraph.


Medtronic is paying an estimated $200,000 per year to Doppel for an AI bot that suppresses the public security warning that came in six weeks before their breach. The same intelligence is available from us free at the public STIX tier or thirty thousand a year at the Enterprise tier. Their potential disclosure-failure exposure across SEC Item 1.05, HIPAA OCR, securities class action, and state AG follow-on is in the forty to two hundred ninety-five million dollar range. The vendor cost to exposure ratio is two hundred to one thousand four hundred seventy-five to one. The brand-protection product, in 2026, is a liability multiplier. This is the math.



The Three Companies, In Order Of Capitalization


Doppel raised seventy million dollars in November 2025 at a six hundred million dollar valuation. Total raised one hundred twenty-four million across Seed, Series A, Series B, and Series C. Lead investors include Bessemer Venture Partners, Andreessen Horowitz, and George Kurtz personally. Customers include Coinbase, OpenAI, Notion, Shopify, Ramp, Commerce, Orrick, United Airlines, and Ark Invest. Total customer count two hundred plus, with dozens in the Fortune 500.


Their pricing is contact sales only. We will reverse-engineer it below from public funding and customer numbers because they will not publish it.


Medtronic plc trades on the NYSE under the ticker MDT. Market capitalization roughly one hundred twenty billion dollars. Large accelerated filer. Headquartered in Galway, Ireland. ShinyHunters posted a claim on the dark web on April 17, 2026 alleging nine million records and additional terabytes of internal corporate data. Medtronic confirmed unauthorized access on April 24. Filed an 8-K on April 27 under Item 7.01 (Regulation FD Disclosure, "furnished" not "filed") with the explicit assertion that the incident is not material. Zero filings under Item 1.05 (Material Cybersecurity Incidents) appear in the Medtronic EDGAR submissions index for all of 2026. We pulled and confirmed.


DugganUSA is in Minneapolis. We run a public threat intelligence feed at analytics.dugganusa.com. Free tier zero dollars, Enterprise tier thirty thousand a year, Medusa Suite one hundred eight thousand a year. Coverage is one point zero four million IOCs, three hundred sixty-one adversary profiles, seventeen point nine million documents across forty-four indexes. We sent Medtronic a vishing-chain warning on March 19, 2026 to [email protected]. We received an autoresponder from [email protected] confirming delivery. Six weeks before the breach. We have the timestamps.



Reverse-Engineering Doppel's Pricing


Doppel will not publish it. We will infer it.


A six hundred million dollar Series C valuation in late 2025 for a software company with three times year-over-year ARR growth is consistent with a revenue multiple in the twenty-five to forty range, depending on how investors weighted the three-year CAGR (Doppel's is two hundred thirty percent since 2022) and the F500 customer expansion (five times in the year). The midpoint multiple of thirty implies approximately twenty million dollars in annual recurring revenue at the Series C close.


Twenty million dollars across two hundred customers averages out to one hundred thousand dollars per customer per year. That number is consistent with public Gartner Peer Insights commentary noting some customers find the service expensive for what they need. Mid-market customers likely pay thirty to eighty thousand. Mid-enterprise customers in the one hundred to two hundred thousand band. Fortune 500 customers with executive protection plus dedicated SOC plus DRP plus Human Risk Management likely three hundred to five hundred thousand or more.


For a hundred-twenty-billion-dollar publicly-traded medical device manufacturer with global brand exposure and a recent Series C vendor selling them takedown enforcement, two hundred thousand dollars per year is a plausible midpoint estimate. We will use it.



Comparing To Our Feed


Our public STIX feed is free. Two hundred seventy-five consumers in forty-six countries pull it daily, including Microsoft, AT&T, Starlink, and Hetzner. Those consumers were on our list when we sent the Medtronic warning on March 19. So was Medtronic, in the sense that any analyst at Medtronic Product Security pulling the public feed would have seen the same indicators.


Our paid Enterprise tier is thirty thousand dollars per year and gives fifty thousand queries per day across all forty-four indexes. Our Medusa Suite is one hundred eight thousand per year and adds the AIPM AI-presence scanner and structured IOC alerts.


The pricing comparison, side by side:


Doppel mid-enterprise: approximately two hundred thousand per year. Buys you an AI bot that issues trademark takedown demands against truthful security reporting under perjury attestations the trademark statute does not authorize. The notice we received this morning is the example.


DugganUSA Enterprise: thirty thousand per year. Buys you the actual threat intelligence that warned Medtronic six weeks before the breach Microsoft Security confirmed three days ago.


DugganUSA free public STIX: zero dollars. Same intelligence, throttled.


The delta from Doppel mid-enterprise to our Enterprise feed is one hundred seventy thousand per year more for the suppression layer than for the warning layer. The delta from Doppel mid-enterprise to our free tier is two hundred thousand per year more for suppression than zero dollars for the warning.


At the nine million record breach scale, the per-affected-customer cost of the takedown bot is approximately two point two cents. The per-affected-customer cost of the warning at our Enterprise tier is approximately one third of one cent. The per-affected-customer cost of the warning at our free tier is zero. Medtronic spent roughly seven times more per affected person on the suppression layer downstream of the breach than they would have spent on the warning layer upstream of it.


This is before we count the disclosure exposure.



Medtronic's Disclosure Exposure, Vector By Vector


The SEC adopted Item 1.05 of Form 8-K effective December 18, 2023. Public registrants must disclose material cybersecurity incidents within four business days of determining the incident is material. The rule was the SEC's response to a decade of underdisclosure of cyber events.


The direct precedent for what happens when a public company gets its disclosure controls wrong on a cyber incident is R.R. Donnelley & Sons Company, June 2024, settled for two point one two five million dollars in civil penalties under Section 13(b)(2)(B) of the Exchange Act and Rule 13a-15(a). The SEC charged inadequate alert escalation, inadequate disclosure controls, and inadequate prioritization of cybersecurity incident reporting. RRD cooperated, remediated, and reported the attack to the SEC before disclosing it to investors. They still paid two million dollars.


For Medtronic, applying the RRD pattern plus the additional facts of the case, the realistic SEC exposure stacks across three charge types: Item 1.05 failure (if the April 27 Item 7.01 filing is later determined inadequate to the materiality), disclosure controls failure (if the March 19 Product Security autoresponder did not trigger materiality assessment), and Section 13(b) accounting controls failure (if cybersecurity events are not captured in financial reporting controls). Total SEC range: five to fifteen million dollars in direct civil penalties.


HIPAA exposure depends on whether the affected systems contained protected health information. Medtronic's April 24 statement says no patient safety impact. Nine million records of corporate data plus terabytes of internal information, in a medical device company's environment, almost certainly intersects ePHI somewhere. HIPAA Tier 4 willful neglect not corrected has a 2024 inflation-adjusted cap of two point one three million dollars per category per year. Realistic HHS OCR exposure range across multiple categories: five to thirty million dollars.


The plaintiffs' bar is already organizing. The Lyon Firm published a piece titled "Medtronic Data Breach Investigation, 9 Million Records Allegedly Leaked" the same week as the breach confirmation. Class action filings for cyber incidents at this scale typically settle in the twenty-five to two hundred million dollar range, depending on stock impact, scope, and disclosure adequacy. Equifax was one point three eight billion. SolarWinds was twenty-six million. Target consumer side was thirty-nine million plus separate institutional cases. The nine million record count plus the disclosure path choice puts Medtronic in the twenty-five to two hundred million dollar zone.


State Attorney General follow-on actions across multiple state jurisdictions: another five to fifty million dollars realistic.


Total realistic exposure if the disclosure path is later challenged: forty to two hundred ninety-five million dollars.


Doppel cost: two hundred thousand dollars per year.


Ratio: two hundred to one thousand four hundred seventy-five times.



Why The Brand-Protection Vendor Math Inverted In December 2023


Pre-Item-1.05, the brand-protection vendor pitch was simple. We keep the bad news off the internet. If the news does not reach mainstream coverage, the company avoids reputational damage, and that is worth the spend. The vendor's product was the suppression of public discussion.


The arithmetic worked when the alternative was the company's own discretionary press release on its own timeline. It worked because the disclosure was optional.


Item 1.05 made the disclosure mandatory. Materiality determination plus four business days plus an 8-K. The breach gets disclosed regardless of whether the brand-protection vendor scrubs every blog and X post.


The vendor's product still costs the same. But the value proposition has inverted. Suppression activity now produces a discoverable paper trail. Every takedown notice, every CC to the customer's enforcement queue, every "penalty of perjury" attestation against truthful security reporting becomes evidence that prosecutors and plaintiffs' counsel will subpoena and use to argue intent. The vendor was selling silence; the vendor is now manufacturing exhibits.


For a publicly traded company in 2026, the ratio of the math is pitiless. Two hundred thousand dollars per year for the bot. Forty to two hundred ninety-five million dollars in disclosure-failure exposure that the bot's outputs will be cited to support. Even if the bot saves the company from one bad-news cycle, the suppression evidence trail multiplies the legal cost of the next disclosed incident by orders of magnitude.


The product worked on the previous regulatory regime. It does not work on this one.



The Real Comparison


The economically rational stack for any publicly-traded company holding sensitive data in 2026 looks like this. Subscribe to the warning layer. Pay thirty thousand a year for an actual threat intelligence feed that puts you on notice of incoming campaigns before they reach you. Document the receipts. Build a defensible advance-disclosure trail showing your security team was monitoring, was warned, did receive notice, and had opportunity to mitigate. When the eventual incident lands, the materiality determination is straightforward and the four-business-day Item 1.05 filing is honest. The SEC has nothing to investigate. The class action plaintiffs have a much harder culpability story to tell.


Or, alternately, pay two hundred thousand a year for the suppression layer. Build a paper trail of perjury-attested takedown demands directed at independent security researchers. Suppress the warning that came in six weeks before the breach. File the eventual 8-K under Reg FD with a non-material claim. Wait for the SEC investigation that follows the cross-victim cluster pattern. Wait for the class action that follows the nine million record count. Wait for the HHS OCR breach notification timer to run out.


Pick one. The market is not yet pricing the inversion in. We are.



A Closing Note On Counter-Positioning


DugganUSA was not a competitor of Doppel before this morning. Different product category, different distribution, different price point, different customer pitch. We sell threat intelligence; they sell brand protection. We had no reason to write this post.


Doppel sent us a perjury attestation against truthful security reporting at five sixteen UTC this morning. We replied to their disclosed retraction handle, [email protected], at thirteen forty-six UTC offering them an opportunity to withdraw the notice. The offer is open. We will publish their response in full at the URL of our previous post.


If they choose not to withdraw, the math above stands. The customers Doppel signs in 2026 are signing for a product whose value proposition was inverted by SEC rule eighteen months ago. The customers Doppel signs in 2026 are signing themselves into a discoverable paper trail of suppression activity that worsens their post-breach legal posture by two hundred to one thousand four hundred seventy-five times the vendor cost.


We are reachable at [email protected]. The feed is at analytics.dugganusa.com/api/v1/stix-feed. The free tier is twenty-five queries per day, the paid Enterprise tier is fifty thousand. We do not auto-mail perjury attestations to anyone.


Aye.


— Patrick Duggan DugganUSA LLC, Minneapolis



Receipts


Doppel takedown notice received 2026-05-06 05:16 UTC: published in full in our previous post at dugganusa.com/post/doppel-sent-an-ai-takedown-bot-medtronic-skipped-item-1-05-microsoft-already-published-the-chain-1.


Doppel funding: BusinessWire May 2 2025 ($35M Series B at $205M valuation), PRNewswire November 19 2025 ($70M Series C at $600M+ valuation), Fortune Exclusive November 19 2025.


Medtronic 8-K April 27 2026: SEC EDGAR accession 0001628280-26-027272, Item 7.01 + Item 9.01.


ShinyHunters claim: BleepingComputer, HIPAA Journal, The Lyon Firm, Infosecurity Magazine, State of Surveillance, Anavem, Cyber News Centre — coverage week of April 24 2026.


R.R. Donnelley SEC settlement June 2024: SEC Press Release 2024-75, $2.125M civil penalty for cybersecurity disclosure controls failures.


HIPAA penalty tiers 2024 inflation-adjusted: HHS HIPAA Journal 2024 update.


SEC Cybersecurity Disclosure Final Rule effective December 18 2023: SEC Press Release 2023-139.


Nominative fair use doctrine: New Kids on the Block v. News America Publishing, 971 F.2d 302 (9th Cir. 1992).




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page