HC3 Victim Notification

HC3 Cyber Engagement (CE) works with many partners, including several thousand Healthcare and Public Health (HPH) entities, law enforcement entities, and preparedness and security vendors, to help elevate cybersecurity posture in the HPH Critical Infrastructure Sector. Some of this work involves directly and indirectly sharing vulnerabilities, victim feeds, and analyses.

What Are Victim Notifications?

Directed communications to victims or potential victims of breaches, vulnerable equipment, or personal identifiable information (PII)/protected health information (PHI) theft.

What Do the Notifications Cover?

  • Victimized HPH entities where a threat actor:
    • has obtained access to the infrastructure of an HPH entity
    • has stolen and posted sensitive PHI/PII for sale
    • is conducting a business email compromise and is posing as a representative of the HPH entity
  • Vulnerable HPH entities who:
    • inadvertently share PHI/PII in an open format
    • are susceptible to known vulnerabilities or have exposed systems
HC3 Victim Notice.png
*This content is in the process of Section 508 review. If you need immediate assistance accessing this content, please submit a request to [email protected]. Content will be updated pending the outcome of the Section 508 review.


How Is the Information Obtained?

HC3 gathers the information from a variety of sources, including original research and tips from partners.

How Are Victims Notified?

HC3 leverages the HHS Office of Inspector General (HHS-OIG) and the FBI to get in touch with the impacted entities. As the law enforcement arm of the HHS, the OIG has the authority to engage in more directed actions in support of HPH entities.

HC3 Contact Info: [email protected]

HHS-OIG Contact Info: [email protected]

Content created by Office of the Chief Information Officer (OCIO)
Content last reviewed