It really depends on the size of the breach. Small breaches such as misdirected mail for example, are extremely common. The Office of Civil Rights who adjudicate these cases doesn’t have time to care about small breaches like this. The one exception to this would be if OCR received a complaint. In that instance, they are more likely to conduct an investigation to see if there is a pattern of non-compliance. Larger breaches, especially those over 500 records are far more likely to get their attention. Keep in mind that all breaches must be reported. If it is a breach over 500 records it must be reported within 60 days and requires other actions such as reporting to local media. If it is less than 500 records, then annual reporting is required.