Ohio’s University Hospitals (UH) recently began notifying more than 7,100 patients that their personal health information may have been exposed when an unencrypted hard drive was stolen from a third-party vendor helping to upgrade the enterprise’s computer systems, according to The Plain Dealer.

According to the letter sent to patients, someone stole the hard drive from the car of one of the vendor’s employees. UH was informed of the theft Aug. 8, and the hospital system has been determining the exact information on the drive since then. The data reportedly came from 19 computers from physician offices, and the encryption process on the stolen drive had not been initiated.

The data included “a very limited number” of Social Security numbers.

The hospital system included information in the notifications about placing a fraud alert on credit files and how to obtain a free credit report. The letters also stated that UH is “actively engaged with an independent IT security consulting firm to strengthen (its) protocols.”