The breach, discovered on Jan. 29, may have compromised customer names, birth dates, Social Security numbers, mailing and email addresses, phone numbers and bank account details, as well as claims and clinical information, Premera said on its website.
It hadn't determined yet if that sensitive information was actually removed from its systems, and it said there's "no evidence to date that such data has been used inappropriately." The FBI has been notified, it said.
The type of information that may have been disclosed is valuable for hackers. It can be used for health-care related fraud, such as bogus claims, or it can be used for more general cybercrime, such as bank account fraud and targeted malware attacks.
Premera Blue Cross provides health, stop-loss and disability insurance to 1.8 million people in the Pacific Northwest. Its brands also include Premera Blue Cross Blue Shield of Alaska, Vivacity and Connexion Insurance Solutions.
The company is an independent licensee of the Blue Cross Blue Shield Association, a group of 37 independent companies that provide insurance under that brand name.
Premera's breach comes about six weeks after Anthem, one of the largest U.S. health insurance providers, disclosed a breach that may have affected 78.8 million records after hackers compromised a database.
It's unclear if the breaches are linked. Premera did not reveal details on how the attackers penetrated its network, and company officials could not be immediately reached for comment.
The company said the attack started on May 5, 2014 and may have compromised customer information the company has held since 2002, which is why it's notifying 11 million people. The notifications are being sent by postal mail.
Premera said it's not emailing people because of concerns over phishing attacks, which involve spoof emails that try to trick victims into revealing information or visiting dodgy websites.
Affected customers are eligible for two years of free credit monitoring and identify theft protection services, Premera said.
Like many other large companies affected by data breaches, Premera said it has hired Mandiant, the forensic division of computer security company FireEye, to investigate.
Premera said it was taking steps taken to "cleanse its IT system" of issues raised by the attack and strengthening the security of its IT systems.
Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk