Odds of an enforcement action are minimal (940 complaints for Security Rule violations in 5 years divided by one sixth the economy), given that enforcement is complaint-driven and CSV files rarely complain. If you're big enough you budget for fines like retail budgets for employee theft -- sure, don't seek it out, but you won't be heartbroken when it happens.
My experiences on this suggest that any company that both produces something classifiable as PHI and large enough to have dedicated IT / Legal staff have fairly draconian policies that include "every attachment that is mailed to a mail server that is not ours is stripped".
When individuals work around these policies, there tends to be some level of legal shielding for the larger business entity when it is investigated.
