Report the suspected breach to the company or organisation. Copy that to your local consumer protection government agency, usually your state attorney general's office in the US. State AGs are also generally responsible for data breach notifications where state laws require this (e.g., California).
The US FTC has a data breach resource guide with specific directions for businesses and individuals: <https://www.ftc.gov/data-breach-resources>. The consumer guide is here: <https://www.bulkorder.ftc.gov/system/files/publications/pdf-...> (PDF, 4 pages). It's ... not especially useful, mostly a guide to what information you should seek to protect.
You can report data breaches (and other cibercrime) to the FBI's tip line: <https://tips.fbi.gov/>
I'm not finding any particularly outstanding advice or guidance under "responsible disclosure" or similar terms, or from public online privacy organisations such as the EFF.
I'd suggest notifying any entity you suspect of a data breach that you'll be making the information public. Not as a threat or consequence of lack of response, which could be interpreted as blackmail, but simply as part of your standard procedure.
If you have a household or business attorney, you might also contact them for guidance. If you don't, you can generally get recommendations and a free consult through your local bar association.