Premera said the attackers may have gained access to claims data, including clinical information, along with banking account numbers, Social Security numbers, birth dates and other data in an attack that began in May 2014.
It is the largest breach reported to date involving patient medical information, according to Dave Kennedy, an expert in healthcare security who is chief executive of TrustedSEC LLC.
About 6 million of the people whose accounts were accessed are residents of Washington state, where customers include employees of Amazon.com Inc, Microsoft Corp and Starbucks Corp, according to Premera. The rest are scattered across every U.S. state.
The insurer said it has so far uncovered no evidence to show that member data was "used inappropriately."
Medical records are highly valuable on underground criminal exchanges where stolen data is sold because the information is not only highly confidential but can also be used to engage in insurance fraud.
"Medical records paint a really personal picture of somebody's life and medical procedures," Kennedy said. "They allow you to perpetrate really in-depth medical fraud."
A Starbucks spokesman told Reuters that Premera notified the coffee chain on Tuesday that Starbucks may have been affected by the attack. A representatives from Amazon did not respond to requests for comment, and a representative at Microsoft declined comment.
Although a breach at Anthem disclosed earlier this year and another large one disclosed last year by hospital operator Community Health Systems Inc involved larger numbers of records, those companies said they believed the attackers did not access medical information.
The Premera breach was uncovered on Jan. 29, the day that insurer Anthem Inc disclosed a cyber attack involving records of some 79 million members in Blue Cross Blue Shield plans across the country.
Premera spokesman Eric Earling said the two attacks were unrelated and that his company independently identified its breach.
Still, experts expect that other healthcare companies will find that they have been breached as the latest attack prompts them to look for intrusions.
"I think other insurance providers are compromised today and we still don't know it. More and more are going to disclose attacks," Kennedy said.
Premera hired FireEye Inc to investigate the matter and is also working with the FBI.
The attack affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliated brands Vivacity and Connexion Insurance Solutions.