Private medical and financial information on as many as 5,000 emergency-room patients, most of them from Colorado, was found last week on the Internet, where it could have been viewed by the public.
The information had been sent to Beacon Medical Services, an Aurora company that processes billing for emergency physicians.
Beacon will contact patients whose files may have been compromised, said the company's chief executive, Dennis Beck.
"Our clients, who entrusted their records to the system, have been victimized; their patients have been victimized and we have been victimized," Beck said.
The information was on a virtual private network and should not have been accessible without a password, according to Beacon officials.
"We are very hopeful that access to this area was extremely limited," said Bill Byron, spokesman for Banner Health, which operates one of the impacted hospitals, McKee Medical Center in Loveland.
The company learned of the security problem Friday afternoon, and immediately shut down access to the server, Beck said.
The company has hired forensic experts to test its system and try to figure out how the breach occurred. In the meantime, Beacon's billing system is down.
Beacon said it has two theories on how the breach happened:
One is that a contractor working on the company's system created a "back-door" access point and inadvertently left it open.
The second is that someone deliberately hacked into the information.
Despite what Beck called a security "hole," the company and several medical providers say the information would not be easily accessible to the public.
"This was an FTP site, not an html. You can't Google it or find it on Yahoo," said Linda Kanamine, spokeswoman for Health One.
Two HealthOne hospitals, Denver's Presbyterian/St. Luke's Medical Center and North Suburban Medical Center in Thornton were involved in the breach.
An FTP, or file transfer protocol, is a generally private site on which one company transmits data to another. In the case of medical information, that data is often encrypted.
Kanamine said HealthOne, like most other health-care providers, is moving toward putting all medical records on computers. This incident won't change that, she said.
"In this era, electronic records are the best way to ensure continuity of care," she said.
Beacon acknowledged that the security hole may have existed for a year, and none of the regular security tests uncovered it.
The company was alerted to the problem by Jon Gordon, who does a show about technology for Minnesota Public Radio. Gordon learned of it from a tipster.
It is possible that the files have been unprotected for more than a year, said Charles Russell, spokesman for Beacon.
Investigators hired by the company said they believe the files were only recently accessed.
Anyone who did access it would have left a "footprint," Russell said. "And there is no evidence of anyone coming in that door until about a month ago."
Since then, four users have accessed the server, Beck said. One belonged to Gordon, the radio reporter. "We are working to determine who the others" are "and what files they may have viewed or downloaded," Beck said.