BOSTON — Medical giant HCA Healthcare, which operates 180 hospitals in the U.S. and Britain, says the personal data of about 11 million patients in 20 states may have been stolen in a data breach.

Samples of the data, including addresses, phone numbers, emails and birth dates, were posted to an online forum popular with cybercrooks by a hacker trying to sell them.

The Nashville, Tennessee-based provider said the stolen data was not believed to include Social Security numbers, payment information or clinical info, such as diagnoses.

However, the data did include information on scheduled appointments and medical departments involved. A file dumped online by the hacker on Monday following what appeared to be a failed attempt to extort HCA includes nearly 1 million records from the company’s San Antonio division.

If 11 million patients are affected, the breach would rank in the top five as reported by health care institutions to the Department of Health and Human Services Office of Civil Rights. In the worst such hack, targeting the medical insurer Anthem Inc. in 2015, 79 million people were affected. Chinese spies were indicted in that case, and there was no evidence the stolen data was ever put up for sale.

The recent hacker, who first posted a sample of stolen data online July 5, was trying to sell the data and apparently tried to extort HCA. They claimed to have 27.7 million records and set a Monday deadline.

In a statement posted to its website Monday, HCA said the data was stolen from “an external storage location” used to “automate the formatting of email messages.” HCA did not say when it learned of the theft.