It does not appear that enforcing HIPAA’s data breach notification requirements is a priority for most AGs, due to the low number of actions brought under the statute. Connecticut, Vermont, Minnesota, and Indiana have each brought one action. Massachusetts is the only state that has brought more than one action . . .