In the case of the federal healthcare exchange, there is no legal requirement to report such breaches. Individuals on the federal exchange are without such protection though most states do have reporting requirements. The issue came up during regulatory comments and HHS apparently declined to support any sort of mandatory reporting rule. They'll let us know when they feel like it.
To add salt to the wound, HIPAA privacy protections do cover insurance companies and health providers accessing federal government systems but the federal government itself is not obligated to honor those protections. Fancy that.
HT: National Review