ProPublica's Charles Ornstein reports that federal regulators are rarely fining health care organizations for data breaches. There have been more than 1,140 large breaches affecting more than 41 million people in the last 5.5 years. But there have been fines levied just 22 times, even though the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act, has required healthcare providers to report breaches involving at least 500 patients since 2009.