ISO 27001 HIPAA

Contact with Authorities

Effective: March 17, 2026 · DCF-744

1. Purpose

This document establishes and maintains a register of relevant authorities with whom H33.ai, Inc. may need to communicate regarding information security matters, as required by ISO 27001:2022 Control A.5.5. It defines when and how to contact each authority, ensuring timely and appropriate communication during security incidents, data breaches, and regulatory inquiries.

This register is particularly critical for HIPAA breach notification compliance, which mandates notification to the HHS Secretary within 60 calendar days of discovery for breaches affecting 500 or more individuals, and annually for smaller breaches.

2. Document Information

Document Owner	Eric Beans, CEO/CISO
Contact Initiator	Eric Beans, CEO/CISO (sole authorized contact unless delegated in writing)
Review Frequency	Annual (or upon material change to regulatory environment)
Last Reviewed	March 17, 2026
Next Review	March 17, 2027

3. Authority Contact Register

3.1 HHS Office for Civil Rights (OCR)

Jurisdiction: HIPAA enforcement (Privacy Rule, Security Rule, Breach Notification Rule)

Address: U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue, S.W., Room 509F, HHH Building, Washington, D.C. 20201

Phone: 1-800-368-1019 (toll-free) / 1-202-619-0403

TDD: 1-800-537-7697

Breach Portal: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf

Website: https://www.hhs.gov/ocr

When to Contact:

MANDATORY — Breach of unsecured PHI affecting 500+ individuals: within 60 calendar days of discovery via HHS Breach Portal
Breach of unsecured PHI affecting fewer than 500 individuals: annually, no later than 60 days after end of calendar year in which breach was discovered
Response to OCR investigation or compliance review inquiry

3.2 FBI Cyber Division

Jurisdiction: Federal cyber crime investigation, nation-state threats, advanced persistent threats

Address: FBI Headquarters, 935 Pennsylvania Avenue, N.W., Washington, D.C. 20535-0001

Local Field Office: FBI Tampa Field Office, 5525 West Gray Street, Tampa, FL 33609

Phone (Tampa): 813-253-1000

IC3 (Internet Crime): https://www.ic3.gov

Tips: 1-800-CALL-FBI (1-800-225-5324)

Website: https://www.fbi.gov/investigate/cyber

When to Contact:

Suspected nation-state cyberattack or advanced persistent threat (APT) targeting H33 post-quantum cryptographic systems
Ransomware attacks or extortion attempts
Significant intellectual property theft (cryptographic algorithms, source code)
Criminal cyber intrusion with evidence of organized threat actor

3.3 CISA (Cybersecurity and Infrastructure Security Agency)

Jurisdiction: National cybersecurity incident coordination, critical infrastructure protection, vulnerability disclosure

Address: CISA, 1110 N. Glebe Road, Suite 400, Arlington, VA 20598-0610

Phone: 1-888-282-0870 (24/7 operations center)

Email: report@cisa.gov

Incident Reporting: https://www.cisa.gov/report

Website: https://www.cisa.gov

When to Contact:

Significant cybersecurity incidents affecting critical infrastructure or cloud services
Discovery of zero-day vulnerabilities in widely-used software (responsible disclosure)
Suspected supply chain compromise affecting AWS or other cloud providers
Voluntary incident reporting for situational awareness sharing
As required by CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) if applicable

3.4 Federal Trade Commission (FTC)

Jurisdiction: Consumer protection, unfair or deceptive trade practices, data security enforcement

Address: Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580

Phone: 1-877-FTC-HELP (1-877-382-4357)

Complaint Portal: https://reportfraud.ftc.gov

Website: https://www.ftc.gov

When to Contact:

Response to FTC inquiry or investigation regarding data security practices
Health breach notification under FTC Health Breach Notification Rule (if applicable to non-HIPAA covered entities)
Voluntary reporting of significant consumer data security incidents

3.5 Florida Attorney General — Office of the Attorney General

Jurisdiction: Florida state breach notification law (Florida Statute 501.171, Florida Information Protection Act)

Address: Office of the Attorney General, State of Florida, The Capitol PL-01, Tallahassee, FL 32399-1050

Phone: 1-866-966-7226 (toll-free) / 850-414-3300

Breach Notification: https://www.myfloridalegal.com/pages/breach-notification

Email: citizenservices@myfloridalegal.com

Website: https://www.myfloridalegal.com

When to Contact:

MANDATORY — Data breach affecting 500+ Florida residents: written notification to Florida AG within 30 calendar days of determination of breach (per FS 501.171)
Notification must include: synopsis of events, number of individuals affected, services offered, copy of individual notice
Individual notification to affected Florida residents: as expeditiously as practicable, no later than 30 days after determination

3.6 AWS Security

Jurisdiction: AWS infrastructure security incidents, shared responsibility model

Abuse Report: https://aws.amazon.com/forms/report-abuse

Security Contact: aws-security@amazon.com

AWS Support: Via AWS Support Center (Business Support plan)

Vulnerability Reporting: https://aws.amazon.com/security/vulnerability-reporting/

AWS Health Dashboard: https://health.aws.amazon.com

When to Contact:

Suspected compromise of AWS infrastructure components (EC2, RDS, ElastiCache, S3)
Detection of unauthorized AWS API activity via CloudTrail
AWS resource abuse (DDoS originating from H33 resources)
Vulnerability discovered in AWS service affecting H33 infrastructure
Coordination during incident response requiring AWS support

3.7 Hillsborough County Sheriff’s Office

Jurisdiction: Local law enforcement for H33.ai registered address (Riverview, FL)

Address: 2008 East 8th Avenue, Tampa, FL 33605

Non-Emergency: 813-247-8200

Emergency: 911

Website: https://www.teamhcso.com

When to Contact:

Physical security threats to personnel or property
Harassment or threats against employees
Theft of physical equipment
Filing police reports required for insurance or legal proceedings

4. Breach Notification Timelines

Authority	Trigger	Deadline	Method
HHS OCR	Breach of unsecured PHI (500+ individuals)	60 calendar days from discovery	HHS Breach Portal (electronic submission)
HHS OCR	Breach of unsecured PHI (<500 individuals)	Within 60 days after end of calendar year of discovery	HHS Breach Portal (annual log submission)
Florida AG	Data breach affecting 500+ FL residents	30 calendar days from determination	Written notice to Florida AG (online form or mail)
Affected Individuals	Any breach of unsecured PHI	60 calendar days from discovery (HIPAA)	Written notice (first-class mail or email if consented)
Affected Individuals	FL data breach (personal information)	30 calendar days from determination (FL law)	Written notice or electronic notice
Media	Breach of unsecured PHI (500+ in a state)	60 calendar days from discovery (HIPAA)	Press release to prominent media outlets in affected state(s)
CISA	Significant cyber incident (if CIRCIA applies)	72 hours from reasonable belief	Electronic report via CISA reporting portal
FBI	Criminal cyber activity	As soon as practicable	Phone (Tampa field office) or IC3 online report

5. Escalation Procedures

The following escalation procedure applies when contacting authorities:

Initial Assessment (0–4 hours): CEO/CISO evaluates the incident to determine which authorities must be notified. Consult legal counsel if available. Document the incident in the Incident Response tracking system.
Internal Notification (4–8 hours): Ensure all internal stakeholders are informed. Activate Incident Response Plan. Begin evidence preservation (CloudTrail logs, system snapshots, network captures).
Authority Notification (within regulatory deadlines): CEO/CISO initiates contact with relevant authorities per the timelines in Section 4. All communications documented and retained. Use prepared notification templates.
Ongoing Communication: Maintain open communication channels with engaged authorities. Provide updates as additional information becomes available. Cooperate fully with any investigation.
Post-Incident: Document all authority communications in post-incident review. Update authority contact register if any contact information has changed. Evaluate whether additional authorities should be added to the register.

6. Communication Principles

Timeliness: Contact authorities within required deadlines. Earlier notification is preferred when possible.
Accuracy: Provide factual, verified information. Clearly distinguish between confirmed facts and preliminary assessments.
Completeness: Include all required information per regulatory requirements. Supplement initial notification as additional facts become available.
Documentation: Record all communications with authorities including date, time, contact person, information shared, and commitments made.
Legal Review: Consult legal counsel before contacting authorities when feasible. Legal privilege considerations apply.
Single Point of Contact: CEO/CISO is the sole authorized representative for authority communications unless explicitly delegated in writing.

7. Review Schedule

Review Frequency	Annual (March of each year)
Last Review	March 17, 2026
Next Review	March 17, 2027
Triggered Reviews	New regulations enacted, organizational changes, lessons learned from incidents, changes to authority contact information
Reviewer	Eric Beans, CEO/CISO

8. Approval

Prepared By	Eric Beans, CEO/CISO
Approved By	Eric Beans, CEO/CISO
Approval Date	March 17, 2026
Signature	/s/ Eric Beans

Questions?

Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.

H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945