Small mistakes can have big consequences.

Last April when a network technician working for Bellevue, Wash.-based Web content-management company Verus failed to set up a firewall properly as part of an online bill-payment service for hospitals, the mistake exposed patient data from at least a half-dozen hospitals across the country.

Until the mistake was discovered over a month later, patient information that had been stored by Verus on behalf of Concord Hospital in New Hampshire; St. Vincent Indianapolis Hospital in Indiana; Stevens Hospital in Edmonds, Wash.; and Sky Lakes Medical Center in Klamath Falls, Ore., among others, could be openly accessed on the Web. And it was, at least by Google bots that indexed it for search.

“Our data on about 9,200 patients was exposed for about five weeks on the Internet,” says Bruce Burns, CFO at Concord Hospital. “We were made aware it had been indexed by Google. We think a patient from Stevens Hospital was the first to discover it.”

Verus owned up to the security mistake but Concord Hospital, along with other medical-care institutions forced to explain the data breach to the public, dropped the Verus bill-paying service like a hot potato. Verus figured prominently in their press releases as the culprit behind the fiasco.

“We fielded 1,500 phone calls about this,” says Burns, who said the decision was made to discontinue the service after being notified of the data breach in June. Concord Hospital also hired a computer forensics firm to ensure the Verus servers were cleansed of the hospital patient data.

“We shut down the bill-payment feature instantly,” says Sky Lakes Medical spokesman, Tom Hottman, after being notified of the breach. Hottman said the Verus service required that the hospital’s patient-billing data reside live on a Verus server, which was apparently shared by nine or 10 other hospitals.

“The firewall security was apparently not re-established correctly and a Google bot got to search it,” Hottman says. He adds that the hospital had had a “good relationship” with Verus President and CEO Thomas Lawry and had used the Verus Web design services for nine years.

Both Concord Hospital and Sky Lakes Medical Center believe that the data exposed was restricted to patient name, address and Social Security number, but not medical data.