When Missy Brown opened her email Monday morning, she was stunned to find a document from her doctor's office containing personal information for 15,000 names.
"I think the subject line said 'coupon attached,' and I saw that there was a spreadsheet attachment," she said. "As soon as I opened it, I saw that it was a spreadsheet that had personal information in it."
The document was a detailed list of nearly 15,000 names and corresponding addresses, appointment dates and Social Security numbers, all from the office of Dr. Mary Ruth Buchness, a dermatologist in Soho. It's not clear how and why the file was sent out.
"I immediately searched for my name to see if my Social Security number and date of birth were in there. They were not but my husband's were," said Brown.
It's unclear how many different people received the email -- the doctor's office didn't say. But most of them don't know each other.
When Brown called her doctor's office, "I got a receptionist who told me that they were aware of it and only a handful of people had opened the email and that they would be recalling the message."
A receptionist at Buchness' office told NBC 4 New York Monday evening she had no information at the time. A home phone number for Buchness was not listed.
Brown said she's filed a complaint with the Department of Health. Federal HIPAA law states medical offices "must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly."
"You can't unring the bell, as they say," said Brown, "Once it's out there, it's out there. I just feel like offices have to be responsible for sensitive information like this."
Security expert Adam Levin, who started the company Identity Theft 911, said when a person's Social Security number suddenly becomes public domain, the victim needs to find out from the organization responsible whether it will offer a credit-monitoring product.
He said in addition to pushing the doctor's office for credit monitoring, victims need to continually check their credit on their own, and should also consider a credit freeze to make it difficult to open an account in their names. They should beware of phishing scams and file taxes early so no one else can file in their names.
And Levin even said patients shouldn't give doctors their Social Security numbers.
"Information is any doctor's office should be encrypted," said Levin. "I also advise people never to give your Social Security to a doctor -- give them your insurance information."
Rebecca Brickman, another patient who was listed in the spreadsheet, agreed: "People should be careful about writing down their Social Security number. I don't think you always have to."
The doctor's office, in a follow-up phone call Tuesday, said it is still investigating and will consider a credit-monitoring service for affected patients.