The data, including insurance forms, social security numbers and doctors' notes, was placed on a website by Southern California Medical-Legal Consultants. The company thought only clients could access it.
The personal data was discovered by Aaron Titus, a researcher with Identity Finder who then alerted Hecht's firm and The Associated Press. He found it through Internet searches, a common tactic for finding private information posted on unsecured sites.
The information has since been removed.
Among the files were summaries that spelled out, in painstaking detail, a trucker's crushed fingers, a maintenance worker's broken ribs and one man's bout with sexual dysfunction.
The incident offered an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American's sensitive medical information will be digitized.
Electronic records can lower costs, cut bureaucracy and ultimately save lives. The government is offering bonuses to early adopters and threatening penalties and cuts in payments to medical providers who refuse to change.
But there are not-so-hidden costs with modernization.
"When things go wrong, they can really go wrong," says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. "Even the most well-designed systems are not safe. ... This case is a good example of how the human element is the weakest link."
California, like most states, has a law requiring companies to notify consumers when their information has been breached. It was unclear if all patients had been notified.
The Associated Press contributed to this report.