https://www.cisa.gov/reporting-cyber-incident at the federal level, if you have a state regulator where PII is in scope, report to them too. Document everything for your complaint as evidence. A GitHub Gist collecting your documentation, archived by the Wayback Machine is an effectively public timestamp mechanism if relevant.
