The first phone call that changed Michael Daugherty’s life came in May 2008. Daugherty was a happy man, running a good business in a nice place. That’s how he talks about it, like the opening five minutes of a movie, setting up how great everything is before disaster strikes. His Atlanta-based company, LabMD, tested blood, urine, and tissue samples for urologists, and had about 30 employees and $4 million in annual sales.

Daugherty is a middle-aged guy distinguished by small, kind brown eyes and a big, meaty laugh—a business everyman of a certain vintage, with a salesman’s mix of friendly and aggressive. He’s from Detroit, and you can occasionally hear it in his vowels. Kevin Spacey could play him in the movie.

Here’s where the story turns dark. That Tuesday, LabMD’s general manager came in to tell Daugherty about a call he’d just fielded from a man named Robert Boback. Boback claimed to have gotten hold of a file full of LabMD patient information. This was scary for a medical business that had to comply with federal rules on privacy, enshrined in the Health Insurance Portability and Accountability Act. I need proof, Daugherty told his deputy. Get it in writing.

Boback e-mailed the document. It was a LabMD billing report containing data, including Social Security numbers, on more than 9,000 patients. Boback quickly got to the sales pitch: His company, Tiversa, offered an investigative service that could identify the source and severity of the breach that had exposed this data and stop any further spread of sensitive information.