Steve Gantz comments on the apparent discrepancy in breach reports received by the FTC from PHR vendors and by HHS:
It seems fair to ask, can any substantial conclusions be drawn from the paucity of breaches reported to the FTC or their relative triviality? No one appears to be suggesting that the data protection practices of organizations subject to the FTC’s data breach rule are superior to those of those covered under HHS’ rules, so why so few breaches reported to the FTC? Several possible explanations come to mind, only some of which have anything to do with security or privacy practices
Read his analysis on Security Architecture.