Medical software firm leakes personal data of 3.1 million patients