The Gramm-Leach-Bliley Act ("GLBA") and the American Recovery and Reinvestment Act require that certain financial institutions as well as health care providers, or businesses that provide services to health care providers, notify patients and the government if the security of the personal information that they maintain is breached.
You should consult an attorney to determine if you are covered by one of these statutes.
Almost every state and territory, including the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, has enacted a "data breach notification" statute. Although statutes vary between states, data breach notification statutes generally require businesses that have personal information about residents within a state to notify those residents if someone who is not authorized acquires that information.
You should consult an attorney to determine which state data breach notification statutes apply to your business, and what the specific requirements of those statutes might be.