The cyberattack at Premera Blue Cross in Washington state also affected 60,000 current and former members of LifeWise Health Plan of Oregon.
The two companies are affiliated and share a common IT system for claims, said Eric Earling, vice president of corporate communications at Premera.
The attack began last May and affected data going back to 2002.
"It was a sophisticated cyber attack," Earling said. "They got access, but there's no evidence they removed information from the system."
Altogether, the cyberattack may have exposed medical data and financial information of 11 million customers. It is the largest breach reported to date involving patient medical information, Dave Kennedy, an expert in health care security, told the New York Times.
Medical records can be sold on underground criminal exchanges and can be used to engage in insurance fraud, the Times reported.
It's not the first large breach uncovered this year. On Jan. 29, insurer Anthem disclosed a cyberattack involving records of 79 million customers in Blue Cross Blue Shield plans across the U.S. That attack was unrelated to the one at Premera, Earling said.
He referred Oregon customers to Lifewiseupdate.com for information on the attack and to access two years of free credit monitoring and identity protection services to anyone affected by the incident.
A message on the site reads in part: "Our investigation determined that the attackers may have gained unauthorized access to applicants and members' information, which could include member name, date of birth, address, telephone number, email address, Social Security number, member identification number, bank account information, and claims information, including clinical information.
"Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected."
The FBI is investigating the attack.