Uh-Oh...
Only the internal IT department is incorrect.
Explanation :
Notifying patients whose information was compromised, along with regulatory agencies and legal counsel, ensures compliance with legal requirements and maintains transparency and trust.