The Cambridge Hospital campus of Cambridge Health Alliance, which reported a data breach Friday. *(Photo: Marc Levy)

Personal information about approximately 2,500 patients at Cambridge Health Alliance got into the hands of “an unauthorized third party,” the health care system announced Friday. The breach involved only “certain patients who were treated at CHA in 2013,” spokesman David Cecere said.

The Alliance learned of the data loss from Everett police two months ago when they told the Alliance that they had discovered electronic files “in the possession” of the unnamed “unauthorized third party,” Cecere said. Everett police couldn’t immediately be reached and the Alliance didn’t give any more details.

The breach didn’t involve the Alliance’s online bill paying system, Cecere said.

Under the federal patient privacy law known as HIPAA, health care officials must notify patients within 60 days of learning that patients’ personal information may have been compromised. The Alliance mailed notices to the affected patients March 28, Cecere said.

The records included billing information and, in some cases, “limited clinical information,” but not medical records, Cecere said. The billing data could have contained “patients’ names, addresses, phone numbers, dates of birth, Social Security number, charges for past health care services and discharge dates,” he said.

The Alliance has set up a phone number for affected patients who have questions, and is offering a year of free credit monitoring and identity protection to those whose Social Security number were in the files, according to a notice on the Alliance website, CHAlliance.org. The notice also said patients who didn’t get a letter by April 21 and think they were affected should call 1-833-219-9083 during weekday work hours. Most affected patients should get a letter soon; the April cutoff date is for cases where the address known to the Alliance is incorrect, Cecere said.

Massachusetts requires reporting of data breaches of any kind, not only related to health care, although there is no specific time limit. Listings posted by the state Office of Consumer Affairs and Business Regulation show that banks and other financial companies report the most security incidents. The breaches must be reported to the consumer affairs office and to the state Attorney General.

The Alliance said it is investigating the data loss with the help of an outside “forensic firm.”