In a string of meetings and press releases, the federal government's health watchdogs have delivered a stern message: They are cracking down on insurers, hospitals and doctors offices that don't adequately protect the security and privacy of medical records.

"We've now moved into an area of more assertive enforcement," Leon Rodriguez, then-director of the U.S. Department of Health and Human Services' Office for Civil Rights, warned at a privacy and security forum in December 2012.

But as breaches of patient records proliferate just this month, insurer Anthem revealed a hack that exposed information for nearly 80 million people federal overseers have seldom penalized the health care organizations responsible for safeguarding this data, a ProPublica review shows.

Since October 2009, health care providers and organizations (including third parties that do business with them) have reported more than 1,140 large breaches to the Office for Civil Rights, affecting upward of 41 million people. They've also reported more than 120,000 smaller lapses, each affecting fewer than 500 people.

In some cases, records were on laptops stolen from homes or cars. In others, records were targeted by hackers. Sometimes, paper records were forgotten on trains or otherwise left unattended.

Yet, over that time span, the Office for Civil Rights has fined health care organizations just 22 times.

"It's disappointing and underwhelming," said Bob Chaput, founder and chief executive of Clearwater Compliance, which helps health care organizations create programs to protect sensitive information. "They're not doing as much as they could or should."

The Office for Civil Rights declined an interview request from ProPublica, but said in a statement that it "aggressively" identifies and investigates "high-impact cases that send strong enforcement messages about important compliance issues." The agency looks into all large data breaches, a spokeswoman wrote in an email, and the cases resulting in financial penalties "have involved systemic and/or long-standing" concerns.

The agency's stiffest sanction to date came last May, when it hit New York-Presbyterian Hospital and Columbia University with fines totaling $4.8 million for failing to secure the electronic health records of 6,800 people. A physician had tried to remove his personal computer server from a shared network, causing patient records, including patient status, vital signs, medications and lab results, to be found on Web search engines. The problem surfaced when a person found a deceased partner's personal health information online.

The federal government has played a growing role in health privacy and security since the passage of the Health Insurance Portability and Accountability Act, or HIPAA, in 1996. The law mandated standards for the use and dissemination of health care information and for how organizations protect electronic medical records.

More:

Fines Remain Rare Even As Health Data Breaches Multiply