Last time I checked, HIPAA fines were essentially not enforced. No wonder breaches occur all the time.
It’s a toothless law, really. I’ve worked in IT in both healthcare and finance, and I can tell you that people care a LOT about their money, but personal health data is waved off as incidental damage in the event of a loss or breach.