HC3 Victim Notification

HC3 Cyber Engagement works with many partners, including several thousand Healthcare and Public Health (HPH) entities, law enforcement entities, and preparedness and security vendors to help to elevate cybersecurity posture of the HPH Critical Infrastructure Sector.  Some of this work involves directly and indirectly sharing vulnerability and victim feeds and analysis.

What are Victim Notifications?

  • Directed communications to victims or potential victims of breaches, vulnerable equipment, or personal identifiable information (PII)/protected health information (PHI) theft.

What do the notifications cover?

  • Victimized HPH entities where a threat actor
    • has obtained access to the infrastructure of an HPH entity
    • have stolen and posted for sale sensitive PHI/PII
    • is conducting a Business Email Compromise and is posing as a representative the HPH entity
  • Vulnerable HPH entities who
    • inadvertently shares PHI/PII in an open format
    • is susceptible to known vulnerabilities or have exposed systems
HC3 Victim Notice.png
*This content is in the process of Section 508 review. If you need immediate assistance accessing this content, please submit a request to [email protected]. Content will be updated pending the outcome of the Section 508 review.


How is the information obtained?


  • HC3 gathers the information from a variety of sources including original research and tips from partners.

How are Victims Notified?

  • HC3 leverages the HHS Office of Inspector General (HHS-OIG) and FBI to get in touch with the impacted entities. As the law enforcement arm of HHS, the OIG has the authority to engage in more directed actions in support of the HPH entities.

HC3 Contact info: [email protected]

HHS-OIG Contact Info: [email protected]

Content created by Office of the Chief Information Officer (OCIO)
Content last reviewed