If a breach occurs, then the covered entity must notify the individual «without unreasonable delay», but no later than 60 days after discovery of the breach. (beyondthefineprint.com)
Following discovery of the breach, the voter information was then downloaded by Chris Vickery, a cyber risk analyst who identified Election Systems & Software (ES&S) as the controller of the data. (rare.us)
As provided in the HIPAA Breach Notification Rule, covered entities, upon discovery of a breach of unsecured PHI, may have up to three separate notification obligations, depending upon the number of affected individuals: (healthitechlaw.com)