When does law enforcement have to be notified of a data breach?

Law enforcement usually intervenes in the case of a data breach only when a breach also violates criminal laws or presents national-security or public-safety hazards. In effect, HIPAA, state breach-notification statutes, Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), and the Federal Trade Commission (FTC) Health Breach Notification Rule specify when and how covered entities should notify individuals and agencies such as HHS or the FTC, but not to contact law enforcement agencies directly.

One StatsPearls chapter on HIPAA compliance notes that in the U.S., “Most [HIPAA] breaches resulted from employees’ negligence and noncompliance… rather than external hacking." In case of a breach involving theft, extortion, fraud, or life-threatening harm, such as a hospital’s systems held for ransom, federal authorities should engage. The FBI specifically encourages victims of cybercrime to report promptly, for example, through the Internet Crime Complaint Center, so they can assist with recovery and investigation.

The distinction between breach notification and crime reporting

Breach notification laws are about transparency and data protection. They specify how and when covered entities must tell patients, regulators, or investors that protected information was exposed. They do not generally tell you to call the police. By contrast, crime reporting is about alerting law enforcement when illegal activity has occurred. For example, if someone steals patient data to commit identity theft or demands ransom, that is a crime. Even an accidental exposure of unencrypted medical records is not illegal; it is a compliance issue handled by regulators.

On the other hand, if the breach results from hacking, fraud, or extortion, it can be treated as a crime. The FTC’s breach-response guide points out that all states have breach-notification laws and advises businesses to check federal requirements too. It also recommends notifying law enforcement promptly, “Call your local police department immediately… If your local police aren’t familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service."

When law enforcement should be contacted, even when it is not strictly required

Notify the FBI when the breach appears criminal

The FBI should be contacted if a breach involves ransomware, extortion, credential theft, unauthorized access, data theft, business email compromise, insider theft or an ongoing intrusion.

Contact with the FBI is a necessary action, especially if attackers are still present in the environment, clinical systems are disrupted, ransom is demanded, or patient data may be stolen and used for fraud. As the FBI explains, ransomware attacks can cause costly operational disruption and the loss of critical data.

The FBI advises ransomware victims to contact a local FBI field office and report ransomware attacks to IC3. Its guidance states, “If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.”

Notify CISA when the incident affects care delivery or infrastructure

CISA should be contacted when a cyber incident affects hospital operations, electronic health records, claims systems, pharmacy systems, scheduling, email, cloud services, network availability, or other infrastructure tied to patient care.

CISA’s CIRCIA reporting rules are still in the rulemaking process and mandatory reporting will take effect only once the final rule is published, but CISA continues to encourage reporting of cyber incidents.

According to the CIRCIA advisory, “While covered cyber incident and ransomware payment reporting under CIRCIA will not be required until the CIRCIA final rule goes into effect, CISA encourages all entities to voluntarily share with CISA information on cyber incidents prior to the effective date of the final rule.”

Notify the U.S. Secret Service when the breach involves payment fraud

According to the U.S Secret Services cyber investigations homepage, “Our mission is to investigate the most significant cybercrime organizations that exploit and undermine critical U.S. infrastructure and financial payment systems.” If the healthcare breach involves wire fraud, business email compromise, diverted reimbursements, payroll fraud, ACH fraud, payment-card theft, or fraudulent vendor invoices, contact the U.S. Secret Service.

Healthcare breaches often turn into financial crimes when hackers reroute payments through hijacked email accounts, billing systems or vendor portals. The Secret Service investigates cybercrime and violations that are financially motivated and involve financial systems. Its guidance on BEC describes business email compromise as a common cybercrime that impacts both U.S. businesses and individuals.

HIPAA requires notice to individuals and sometimes the media

Under HIPAA’s Breach Notification Rule, covered entities must alert affected patients, and often regulators or the media, but HIPAA does not require notifying law enforcement. Instead, HIPAA’s rules, like 45 CFR Part 164, Subpart D, focus on notifying victims and the HHS Office for Civil Rights (OCR).

The patient-facing purpose matters because healthcare breaches are not rare or minor events. Paubox’s 2026 Healthcare Email Security Report found 170 email-related healthcare breaches were reported to HHS in 2025, exposing protected health information for 2.5 million individuals. The same analysis found 74% of breached domains had ineffective DMARC protection, showing how weak email authentication continues to create preventable risk in healthcare.

If 500 or more patients are affected, the HIPAA rule requires that HHS OCR notify the patients at the same time. The OCR has an online form that covered entities can use to report breaches that affect 500 or more individuals. For breaches involving fewer than 500 people, covered entities maintain a log of breaches and submit it to HHS on an annual basis.

HIPAA also requires that if the breach affects over 500 residents of a state, the entity must notify prominent media outlets in that state. It is a way of getting the wider public to notice when a breach is very large or local. HIPAA notices are about transparency and protecting the patient. The law even allows a delay in notice if a law enforcement official in writing states that immediate notice would interfere with a criminal investigation or endanger national security.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

When should the FTC be notified instead of, or alongside, HHS OCR?

The FTC may be involved when the organization is outside HIPAA and operates as a vendor of personal health records or a related entity. The FTC Health Breach Notification Rule requires vendors of personal health records and related entities to notify consumers after a breach involving unsecured information.

Should a business associate contact federal law enforcement directly?

A business associate should escalate quickly when it detects ransomware, unauthorized access, data theft, fraud, or an active cyber intrusion.

Does contacting federal law enforcement mean the breach becomes public?

Not automatically. A law enforcement report is different from public HIPAA notice. Public notice usually comes from HIPAA, FTC, state breach laws, SEC rules for public companies, media reporting, litigation, or the organization’s own communications.