While HIPAA is well-known, there are also obligations under the FTC’s Health Breach Notification Law..
From the linked page below:
“Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?
The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.” [..]
https://www.ftc.gov/tips-advice/business-center/guidance/health-breach-notification-rule