The data that may have been compromised included birth dates, medical record numbers and diagnoses. The information was exposed for about 40 minutes on May 6 after an OHA employee clicked a link in email the worker thought was from someone they knew, the agency said.