Hackers who went undetected for eight months gained wholesale access to medical records and other personal data of the 1.8 million Premera Blue Cross health plan members in Washington State and Alaska as well as anyone who did business with the company.
Premera says in a posting that it has called in the FBI to help investigate the incident and is relying on Mandiant to help figure out how the attackers got in and to clean up its network.
Between May 5, 2014 and Jan. 29, 2015 attackers were inside the Premera network and had access to names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, member identification number, medical claims information and financial information, the company says.
Premera says it doesn't know whether the data was removed from the network and has no proof that it has been used inappropriately.
Records accessed include those of individual members as well as affiliated healthcare providers, businesses who provided coverage for their employees and groups Premera does business with. The breach affects Premera and its affiliates Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliate brands Vivacity and Connexion Insurance Solutions. It also affects any Blue Cross members from outside the area who sought treatment from these entities.
The company says it doesn't store customer credit card information so none was compromised.
A breach at insurance giant Anthem exposed data about 78.8 million customers but no health records or financial information as in the Premera case.
Premera customers can sign up for two years of free credit monitoring and identity protection services from Experian, according to a company posting.
The company didn't say how the attackers broke in or how the breach was discovered.
Based in Mountainlake Terrace, Washington, the company's 2013 revenues were $7.59 billion.
Sign up for CIO Asia eNewsletters.