Before we answer that question lets think about why an organization wouldn't want to disclose a breach.
Of course the best reason for not reporting a data breach: is to avoid having one to begin with. I would highly recommend having a conversation with your IT provider (either internal or external) to see what they are doing to mitigate recent attack vectors to minimize your risk footprint.
Reputation - Reporting a breach could cause brand name damage and tarnish the trust you have worked so hard to established with your clients.
Cost - You could be fined for the loss of data if you did not have the proper mechanisms in place to protect that data.
Requirements - ignorance of what is required by law. Depending on the number of records, reporting to authorities and local media. Recent settlements with the Office of Civil Rights (OCR) proves ignorance is NOT bliss.
These are pretty compelling reasons for growing practices to try and sweep the event under a rug and hope that no one finds out about it. This could not be a more damaging action your practice could take.
Reputation - Get in front of the story (and the backlash). There is a good chance that eventually someone, somewhere would have figured it out (the FBI Internet Crime Complaint Center (IC3) is usually involved from a fraud investigation). Instead, you were direct and upfront about the incident.
Cost - We will assume the data was encrypted. Right? and it might be proven that the chances of that data being accessible is minimal and may be covered under safe harbor.
Requirements - breaches of 500 or greater records require authorities, OCR, and the media to be contacted within 60 days (again sooner is better). Breaches involving less than 500 records must be reported to authorities "as soon as possible" and OCR within 60 days of the end of the year.
Why sharing is a good thing:
It enables companies to band together. We learn from each other’s mistakes! If it had been due to negligence or an inadvertent mistake, this would have also been a teachable moment.
There’s data for developing mitigation strategies. This can help inform an organization, or even best practices within an entire industry. Data can help reveal where the threats are and the scope and size of the problem.