Is it necessary for a data controller in the EU/EEA to notify a breach involving data subjects in third countries?

Yes, it does not matter where the data subject is located in your assessment of whether or not you need to notify the breach to a data protection authority. If you are established in the EU/EEA, the General Data Protection Regulation (GDPR) applies to your processing of personal data. This is regardless of whether the processing takes place in the EU/EEA or not.

Article 3.1 and 33 GDPR

Personal data breaches (in Swedish)